Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

checkps 1.3-pre1 released (root kit detector)

From: Duncan Simpson <dps () IO STARGATE CO UK>
Date: Mon, 16 Oct 2000 18:06:24 +0100
-----BEGIN PGP SIGNED MESSAGE-----


checkps-1.3-pre1 has been released on soruceofrge and http:checkps.alcom.co.uk
(were the home page lives). Everyone is encouraged to upgrade.

The program detects falsified ps output on anything with /proc, with lots of
detial of the hidden processes on linux. Given some work this will happen for
other systems too. Both one shot mode and regular scans in the backgroud,
under a false process name to stop cracker noticing, are supported.

BUGS FIXED since 1.2:
- - non-exploitable heap overflow, annnounced a long time ahgo.
- - format string bug fixed, albeit a veyr hard to exploit one.
- - much more complete checking of retun values from system calls.

NEW FEATURES since 1.2:
- - Notifcation of suspoect changes in the system time
- - Notoification when inode/dev of binaries chnages.
- - 95% of linux netstat scanner, ~70% of one for other systems (currently
inactive).
- - warning if you set the SMTP mahcine to the local host
- - email confiormation that the daemon has started
- - if you fail to edit cfg_smtp.h then the compilation bonbs out.
- - md5 sums included in the distributon packages.

BUGS UNFIXED:
- - still theoretically possible to replace binary just before the code calls
execv(2). Anyone know how to avoid this problem?
- - The README has invented checkps 1.4beta1, which seems to be newer than
1.3-pre1. Evn if it did exist 1.3-pre1 is the latest relase.

The keys to verify the PGP signatures of the tarfile are avialable by return
of email to pgp () duncan telstar net or the usual key servers. CVS versions are
avialable from sourceforge.






- --
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOes1kM4kG9UPwSZpAQERswQA2rySOfr/Marwpmj2+BJbowVNGf4dAqh6
oLc/ZS+ut8Kpp0Pj4bJjINLMe5BFLaOe/nrGpZeKhEpsb5q4KtjByEwGwMwCeRe4
WKZFQmZIC98Vy8xX3YUhMichkv0OEwUg5yCzTDEhqGjPr3IaSFDIs8GsZXbiO9+Y
nBKOTQFSuWQ=
=cOq7
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: