Re: Bind8 exploit and a deleted partition map

[Eric Brandwine <ericb () UU NET>]

> > > > > "vk" == Valdis Kletnieks <Valdis.Kletnieks () VT EDU> writes:

> > > 3) Delete any software (esp. daemon) if you don't plan to use them
> >
> > OK, this is the reason for my reply. I think this may be uneccessarily
> > strong. The key is do not RUN any daemons you do not need. Just having
> > a file of non-setuid, executable code sitting on the hard drive is of
> > very little risk. Figuring out what can and can't be TURNED OFF without

vk> Famous last words.

vk> I don't know *how* many times I've had to re-do /etc/inetd.conf on SGI machines
vk> to re-install tcp_wrappers and re-disable things I'd turned off already because
vk> an SGI software update replaced it.

vk> /etc/rcX.d have similar problems.  You rename 'S10snmp' to 's10snmp' so it
vk> won't be started, and a patch comes along and drops a new S10snmp on your
vk> system.. POING! you get to re-disable it.

vk> Now if you had *REMOVED* snmp off your system entirely, you don't have to worry.

vk> I've got a RedHat 7.0 box on my desk.  I'm not worried about any future
vk> security issues with Kerberos.  Why? Because I knew we don't use it, and
vk> I just 'rpm -e' them.  No kerberos binaries on the system, no danger of them
vk> getting started.

SGI's patching scheme aside...  I've often needed files that were
deleted for just these reasons.  I tend to chmod 000 them, so they are
still on the disk, but cannot be run by accident.  Of course a patch
can come along and put a new binary in their place, with new perms,
but nothings gonna stop that.  I always run TCT's mactime program
before and after patching, to see what the patch touched.

ericb
--
Eric Brandwine     |  Where I steal an idea, there I leave my knife.
UUNetwork Security |
ericb () uu net       |
+1 703 886 6038    |      - Michelangelo
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E