Vulnerability Development mailing list archives

Re: Positive uses for rootkits

From: Nicolas Gregoire <nicolas.gregoire () 7THZONE COM>
Date: Fri, 23 Mar 2001 10:23:50 +0100

Daniel McCranie a écrit :

I was wondering that since intruders can modify system commands to
not display certain things, couldn't admins modified the commands
like cp, mv, rm...  so that they would not be able to replace any
of the included commands?


The admin can keep a MD5 checksum of the original (trusted) binaries on
a write-protected floppy and compare them to the MD5 checksum of the
binaries actually on the disk (à la Tripwire).

But somme rootkits are at the kernel level and can fool Tripwire ...

I have just enough UNIX knowledge to be dangerous to myself so be
gentle :)

Questions:

1. Are most rootkits simply shell scripts or real programs?


There is shell scripts (ie. the trojan ps could be a shell doing
"/bin/original_ps |grep -v sniffer") and real programs (with
configuration files, etc) like lrk or tornkit

2. Would there be anyway to stop programs from overwriting those
files with programming calls?  (Maybe making them read-only and
modifying chmod...)


Use chattr and lsattr or the Openwall kernel patch or the Immunix
SubDomain tool.


Nicob

Current thread:

Positive uses for rootkits Daniel McCranie (Mar 22)
- Re: Positive uses for rootkits Nicolas Gregoire (Mar 23)
- Re: Positive uses for rootkits Chih hung Feng (Mar 23)
- Re: Positive uses for rootkits Berend De Schouwer (Mar 23)
- Re: Positive uses for rootkits Gregor Binder (Mar 23)
- Re: Positive uses for rootkits Cedric Blancher (Mar 23)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
  - Re: Positive uses for rootkits Dick Visser (Mar 25)
    - Re: Positive uses for rootkits Ron DuFresne (Mar 25)
    - Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
    - Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)

(Thread continues...)