Bugtraq mailing list archives

Re: Anti Hijacking tools

From: avalon () coombs anu edu au (Darren Reed)
Date: Sun, 29 Jan 1995 06:16:11 +1100 (EDT)

------- =_aaaaaaaaaa0
Content-Type: text/x-pgp; charset="us-ascii"
Content-ID: <22906.791264012.1 () merde dis org>
Content-Description: Pgp signed cleartext

-----BEGIN PGP SIGNED MESSAGE-----


Here is a program that does some of what der Mouse's device
driver does but runs as program that edits /dev/kmem to disable
the device /dev/vd.

I did what can to bullet proof the code so that it does not stomp on
the wrong device driver.

Written and tested under 4.1.3u1

            -Pete
            shipley () dis org



AntiHijacking tool? It disables sun4's kernel ability to modload modules
on fly, thus also disables things like ppp, slip, et al. I won't call it
a solution.


There are other (obvious) problems too...the most obvious being get root,
alter /etc/rc* and either reboot or wait for it.  Unless they store a
TripWire DB on a storage device which is removable and can have read-write
toggled easily (ie floppy disk) and they use it daily, you're defeated even
with these tools.  And, I might add, there is little to be done to stop it,
it would seem.  If you've got a SunOS4.x machine, want to run Sun stuff,
and are desperately worried about its security, you'll gain a *lot* more by
putting NetBSD(current)-sparc on it.  You'll also save yourself a lot of
time trying out these other solutions.  The only thing NetBSD doesn't offer
is a way to defeat guessing the ISN, but the only safe way I would consider
changing this is to have it increase (at all stages) by a random amount at
regular intervals rather than once per packet at any stage.

darren

p.s. yes, a reboot is obvious, and even if you have security-mode full,
     you may not notice if they wait for you to reboot or they cause a
     panic through some kernel bug.  And by this time it is too late.

p.p.s unless upon rebooting you check *every* binary you execute for
      changes since the last (something like running TripWire *very*
      early in /etc/rc*) you may or may not know if anything has been
      changed before you go into multi-user mode.  This is getting
      towards the extreme paranoia end of the spectrum, however.  By
      making all directories and files involved with rebooting restricted
      to be changed by root (under NetBSD), you stand a chance of being
      immune to a trojan taking advantage of the boot procedure.

Depressed yet, about unix security ?

Current thread:

Re: Hijacking tool, (continued)
- - - Re: Hijacking tool Jim Duncan (Jan 24)
    - Re: Hijacking tool John Evans (Jan 24)
- Re: Hijacking tool jim () Tadpole COM (Jan 23)
  - Re: Hijacking tool Darren Reed (Jan 23)
  - CIAC Advisory F-08: IP Address Spoofing and Hijacked Session Attacks (fwd) Mark Crother (Jan 23)
- Re: Hijacking tool Patrick Horgan (Jan 23)
- Re: Hijacking tool der Mouse (Jan 24)
  - Anti Hijacking tools Pete Shipley (Jan 27)
    - Re: Anti Hijacking tools jsz (Jan 28)
    - Re: Anti Hijacking tools Karl Strickland (Jan 28)
    - Re: Anti Hijacking tools Darren Reed (Jan 28)
- Re: Hijacking tool Quentin Fennessy (Jan 24)
  - Re: Hijacking tool Timothy Newsham (Jan 25)
- Re: Hijacking tool Eric Conrad (Jan 24)
  - Re: Hijacking tool Harold van Aalderen (Jan 25)
  - Re: Hijacking tool Aleph One (Jan 25)
- Re: Hijacking tool Quentin Fennessy (Jan 25)
  - Re: Hijacking tool Jonathan M. Bresler (Jan 26)