Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: cdp () PEAKPEAK COM (Chuck Phillips)
Date: Fri, 3 Mar 2000 08:17:21 -0700
Jason Spence writes:
Drew Smith wrote: can someone PLEASE explain to me why perl does a system(csh) in places???).
File glob expansions. If you write something like...
system("ls *.txt");
...it gets passed to csh to expand the glob. Csh is used instead of sh
because (traditional) sh won't expand more elaborate globs like
"foo.{txt,exe,mouse}". There has been periodic talk of adapting the zsh
glob expansion code directly into Perl, but I have no idea of the current
status. Could be fixed by now for all I know.
As far as a honeypot goes, the cracker can exec csh or even upload their
own statically linked shell and run that. If you want to fool anyone
beyond "scr1pt k1dd13" status, you'll have to change the way system calls
are handled.
Just MHO,
Chuck
Current thread:
- Mail Server attack, (continued)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 16)
- Re: Cracked; rootkit - entrapment question? Michael Stone (Mar 17)
- Re: Cracked; rootkit - entrapment question? Eric the Fruitbat (Mar 17)