Home page logo

bugtraq logo Bugtraq mailing list archives

check-ps 1.2 alpha 4 released
From: dps () IO STARGATE CO UK (Duncan Simpson)
Date: Sat, 27 Jun 1998 02:53:58 +0200

Hash: SHA1

I have just uploaded check-ps version 1.2 alpha 4 to the pub/word2x directory
on mars.astra.co.uk. I have also supplied a signature for pgp 2.x and pgp 5
users. You can obtain the keys from the file in the same directory or by
sending email to pgp () duncan telstar net (an automatic response robot, subject
and message contents junked). The licence is GPL.

The major features over 1.2alpha are
  + bug fixes (all known bugs are fairly minor)
  + configure fixes
  + kill scanning is now supported on linux.

For those who do not know about check-ps it is a security a;arm that pretends
to be httpd, possibly with a fake argument list (the name and argument list
are configurable by minor source changes). It can be configured to kill or
stop programs that are detected. If it understands the /proc format, which
currently means you have things not sent to me or are using linux, then it
will tell you all the information it can find. This understanding also enables
it to wipe out the attackers connection most of the time, assuming you tell it
to send signals.

The kill scanning can easily be "ported" to other platforms by supplying a
file called <system name>_killscan.h which #defines MAX_PROC to the largest
possible process id+1. Once this file is writen the configure script will
automatically sense its presence and turn on the kill scanning code. (If you
do write such a header please email it to me).

kill scanning tries all possible pids and uses the feature of most systems
that does error checks, and thus allow the chekcing of pids, without sending
any signal. This scanning is a lot will get people that hack the kernel code
that generates /proc entries to leave their evil processes out. Kudos for the
idea are due to Solar Designer.

Once enbaled you can select killing scanning by feeding check_ps -p or
- --killscan on the argument list. Please be aware that kill scanning, and
check-ps in general, is still experimental.

Assuming you want to receive reports via email when using the email option
please change cfg_email.h; at present the reports get sent to
dps () io stargate co uk, which is probably not what you want. If anyone is
caught I would appreciate a quick note though.

Mirroring by others, including CERT, CIAC, etc is permitted.

- --
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]