Re: Making ps secure

From: David Blomberg (dblomber@libertec.com)
Date: 11/19/02

  • Next message: Steven Adams: "Re: Making ps secure"
    From: David Blomberg <dblomber@libertec.com>
    To: security-discuss@linuxsecurity.com
    Date: 19 Nov 2002 15:46:06 +0900
    
    

    A rootkit is something that script kiddies of Crackers deposit on a
    machine after comromising it. It is easier to think as altered versions
    of the rm, ps and other utils. However to accomplish this requires some
    C programming skills--just download the source code and reprogram in
    checks to the GNU tools to make them behave as you want, then recompile
    the tools. (rootkits are a bad thing, but they use the same idea-when
    you run ps -auxf they hide the apps that the cracker deposited on your
    system so it looks like nothing is wrong)

    Dave Blomberg
    Nihon libertec

    On Tue, 2002-11-19 at 15:36, Steven Adams wrote:
    > I dont understand..
    >
    > If i just make it an alias people could just change the alias..
    >
    > whats this rootkits thing?
    >
    > /Steve
    > ----- Original Message -----
    > From: "David Blomberg" <dblomber@libertec.com>
    > To: <security-discuss@linuxsecurity.com>
    > Sent: Tuesday, November 19, 2002 5:32 PM
    > Subject: Re: Making ps secure
    >
    >
    > > Same thing makers of rootkits do change the way the apps operate (just
    > > program in some sanity check prior to execution) alternatively make
    > > aliases to the commands so that ps -auxf behaves like ps
    > >
    > > On Tue, 2002-11-19 at 15:17, Steven Adams wrote:
    > > > Hi,
    > > > I am running slackware linux and i notice that on freebsd and some
    > other
    > > > distros when u type ps auxf it only outputs the processes your running
    > and
    > > > not anyone else..
    > > >
    > > > I was wondering how they made it do this..
    > > >
    > > > Ive also noticed that in a users home dir .bash_history is owned by the
    > > > user.. But if the user trys to remove it or chmod it to a diferent
    > setting
    > > > it says operation not permitted.
    > > >
    > > > Ive also seen this before
    > > > When someone trys a normal ping.
    > > >
    > > > ping: socket: Operation not permitted
    > > >
    > > > How are theses things done and is there a site thats tells u in detail
    > on
    > > > how to make your system secure
    > > >
    > > > /Steve
    > > >
    > > > ------------------------------------------------------------------------
    > > > To unsubscribe email security-discuss-request@linuxsecurity.com
    > > > with "unsubscribe" in the subject of the message.
    > > --
    > > David Blomberg <dblomber@libertec.com>
    > > Nihon Libertec
    > > ------------------------------------------------------------------------
    > > To unsubscribe email security-discuss-request@linuxsecurity.com
    > > with "unsubscribe" in the subject of the message.
    > >
    >
    > ------------------------------------------------------------------------
    > To unsubscribe email security-discuss-request@linuxsecurity.com
    > with "unsubscribe" in the subject of the message.

    -- 
    David Blomberg <dblomber@libertec.com>
    Nihon Libertec
    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.