|
Vulnerability Development
mailing list archives
Re: Positive uses for rootkits
From: Berend De Schouwer <bds () jhb ucs co za>
Date: Fri, 23 Mar 2001 08:56:07 +0200
On Wed, 21 Mar 2001 20:58:31 Daniel McCranie wrote:
| Hi,
|
| I was wondering that since intruders can modify system commands to
| not display certain things, couldn't admins modified the commands
| like cp, mv, rm... so that they would not be able to replace any
| of the included commands? These could be made in such a way only to
| work unlimited in single user mode or have the disk mounted to
| another system when there is a legitimate need to change one.
This doesn't help compiling C programs to call the libc functions,
or calling the kernel functions directly. Even simpler: if you
replace 'cp', I can still copy files using: "cat fileA > fileB".
There are a lot of ways to copy files.
| I have just enough UNIX knowledge to be dangerous to myself so be
| gentle :)
|
| Questions:
|
| 1. Are most rootkits simply shell scripts or real programs?
Both.
| 2. Would there be anyway to stop programs from overwriting those
| files with programming calls? (Maybe making them read-only and
| modifying chmod...)
No. If you are root, you can change permissions back. To stump
some people you can try:
- Mounting /usr read-only
- 'chattr' (file system dependent)
To actually prevent even root from changing files, on Linux,
try LIDS (www.lids.org). You can prevent root from, for example,
modifying /bin/login.
| 3,4,5: I know that this probably wouldn't be good in a standard
| distro but what about a hardening kit? Has this been tried before?
| Is there something blatantly wrong?
There are such kits to some degree. For RedHat Linux, look for Bastille.
| Dan
|
Kind regards,
Berend
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS
 By Date 
By Thread
Current thread:
|
Intro
