Re: More rootkit defense

[Phil Stracchino <alaric () BABCOM COM>]

On Tue, Mar 27, 2001 at 01:09:51PM -0500, Jose Nazario wrote:
> On Mon, 26 Mar 2001, Phil Stracchino wrote:
>
> > It has come to my notice that the majority of skript-kiddies and
> > writers of rootkits are either unaware of the oft-forgotten wonders of
> > file attributes, or can't be bothered to provide for them in their
> > 'sploits.
>
> question:
>
> it seems awfully Linux and BSD centric, using chattr. i see that similar
> attributes are available under IRIX (man attrinit(1M), attr(1)), but what
> about Solaris, HPUX, AIX, and such? has anyone got any information on
> these? a simple uname output detection in your scripts would make it
> versatile.

If anyone cares to let me know what equivalent tools are available on
other platforms, I'd be happy to extend the tool.

> relying on the stupidity of the kiddies will get you an increasingly
> shorter distance every day. while i loathe them, and i think they're
> moronic, they're learning, and getting better every time.

True, but why not exploit their weaknesses while they're available?

(No, I don't think they're particularly flashing intellects either.  You
have a hammer and you want to impress me?  Don't find something to smash
with it, make something with it.)


--
 Linux Now!   ..........Because friends don't let friends use Microsoft.
 phil stracchino   --   the renaissance man   --   mystic zen biker geek
    Vr00m:  2000 Honda CBR929RR   --   Cage:  2000 Dodge Intrepid R/T
 Previous vr00mage:  1986 VF500F (sold), 1991 VFR750F3 (foully murdered)