Firewall Wizards mailing list archives
RE: Boobytraps
From: "Smith, John" <john.smith () minolta-qms com>
Date: Mon, 28 Aug 2000 13:32:06 -0500
Hello Everyone, Seeing the responses to the original post reminds me of a question I had a couple of years ago. I wondered what would be the advantages and disadvantages of installing a 'partial' rootkit on a system. Basically don't open any holes but use some of the cracker tools to your benefit. This does imply at least couple of things: 1) You absolutely know what you're doing! 2) You have examined the rootkit and know there aren't any nasty surprises. The biggest disadvantages I came up with: 1) From a corporate standpoint the box may become harder to support in terms of the number of people that can support it. Depends on the organization. 2) From a practical standpoint more code is being added to the system, therefore adding more potential bugs and making the system more complex instead of simpler. Given my level of knowledge compared to the level on the list I probably am missing some major items. But it's a learning process. :) Have a good one. John Smith Sys Admin -----Original Message-----
Message: 1 From: "Stefan Wagner" <s.wagner () alldas de> To: <firewall-wizards () fraggle nfr net> Subject: Re: [fw-wiz] Boobytraps Date: Sat, 26 Aug 2000 18:09:17 +0200 charset="iso-8859-1" Hi,1. trojan gcc so that it sends an email every time it compiles something with the name of the user and name of the source compiling (if gcc is heavily used on your system this could get anoying). 2.trojan bash to email you when the words wtmp, secure, lastlog, .bash_history, /dev/kmem, etc.. show up on a command line 3. trojan mkdir to report the making of any dir with a leading .I would add a check for the presence of a new Root-Account in the passwd and check for presence a /.bash_history; sometimes they leave such stuff. And since the question was Solaris related: check for /tmp/bob since that thing will not die in the near future. Regards, Stefan http://www.alldas.de
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Boobytraps Ryan Russell (Aug 26)
- <Possible follow-ups>
- Re: Boobytraps Stephen P. Berry (Aug 26)
- RE: Boobytraps Smith, John (Aug 28)