Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Nicolas Gregoire <nicolas.gregoire () 7THZONE COM>
Date: Fri, 23 Mar 2001 10:23:50 +0100
Daniel McCranie a écrit :
I was wondering that since intruders can modify system commands to not display certain things, couldn't admins modified the commands like cp, mv, rm... so that they would not be able to replace any of the included commands?
The admin can keep a MD5 checksum of the original (trusted) binaries on a write-protected floppy and compare them to the MD5 checksum of the binaries actually on the disk (à la Tripwire). But somme rootkits are at the kernel level and can fool Tripwire ...
I have just enough UNIX knowledge to be dangerous to myself so be gentle :) Questions: 1. Are most rootkits simply shell scripts or real programs?
There is shell scripts (ie. the trojan ps could be a shell doing "/bin/original_ps |grep -v sniffer") and real programs (with configuration files, etc) like lrk or tornkit
2. Would there be anyway to stop programs from overwriting those files with programming calls? (Maybe making them read-only and modifying chmod...)
Use chattr and lsattr or the Openwall kernel patch or the Immunix SubDomain tool. Nicob
Current thread:
- Positive uses for rootkits Daniel McCranie (Mar 22)
- Re: Positive uses for rootkits Nicolas Gregoire (Mar 23)
- Re: Positive uses for rootkits Chih hung Feng (Mar 23)
- Re: Positive uses for rootkits Berend De Schouwer (Mar 23)
- Re: Positive uses for rootkits Gregor Binder (Mar 23)
- Re: Positive uses for rootkits Cedric Blancher (Mar 23)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits Ron DuFresne (Mar 25)
- Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
- Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
- Re: Positive uses for rootkits Dick Visser (Mar 25)