Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Boobytraps

From: "Smith, John" <john.smith () minolta-qms com>
Date: Mon, 28 Aug 2000 13:32:06 -0500
Hello Everyone,

        Seeing the responses to the original post reminds me of a question I
had a couple of years ago.  I wondered what would be the advantages and
disadvantages of installing a 'partial' rootkit on a system.  Basically
don't open any holes but use some of the cracker tools to your benefit.

        This does imply at least couple of things:

        1) You absolutely know what you're doing!
        2) You have examined the rootkit and know there aren't any nasty
surprises.

        The biggest disadvantages I came up with:

        1) From a corporate standpoint the box may become harder to support
in terms of the number of people that can support it.  Depends on the
organization.
        2) From a practical standpoint more code is being added to the
system, therefore adding more potential bugs and making the system more
complex instead of simpler.

        Given my level of knowledge compared to the level on the list I
probably am missing some major items.  But it's a learning process.  :)

        Have a good one.

John Smith
Sys Admin

-----Original Message-----

Message: 1
From: "Stefan Wagner" <s.wagner () alldas de>
To: <firewall-wizards () fraggle nfr net>
Subject: Re: [fw-wiz] Boobytraps
Date: Sat, 26 Aug 2000 18:09:17 +0200
charset="iso-8859-1"

Hi,


1. trojan gcc so that it sends an email every time it compiles something 
with the name of the user and name of the source compiling (if gcc is 
heavily used on your system this could get anoying).

2.trojan bash to email you when the words wtmp, secure, lastlog, 
.bash_history, /dev/kmem, etc.. show up on a command line

3. trojan mkdir to report the making of any dir with a leading .


I would add a check for the presence of a new Root-Account in the
passwd and check for presence a /.bash_history; sometimes they
leave such stuff.

And since the question was Solaris related: check for /tmp/bob
since that thing will not die in the near future.

Regards,
   Stefan
http://www.alldas.de


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: