Re: Making ps secure

From: David Blomberg (dblomber@libertec.com)
Date: 11/19/02

Next message: Steven Adams: "Re: Making ps secure"

Previous message: Paulo Andre: "RE: Making ps secure"
In reply to: Steven Adams: "Re: Making ps secure"
Next in thread: S. Khademi: "vlan and setting of an ip address with mac address"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: David Blomberg <dblomber@libertec.com>
To: security-discuss@linuxsecurity.com
Date: 19 Nov 2002 15:46:06 +0900

A rootkit is something that script kiddies of Crackers deposit on a
machine after comromising it. It is easier to think as altered versions
of the rm, ps and other utils. However to accomplish this requires some
C programming skills--just download the source code and reprogram in
checks to the GNU tools to make them behave as you want, then recompile
the tools. (rootkits are a bad thing, but they use the same idea-when
you run ps -auxf they hide the apps that the cracker deposited on your
system so it looks like nothing is wrong)

Dave Blomberg
Nihon libertec

On Tue, 2002-11-19 at 15:36, Steven Adams wrote:
> I dont understand..
>
> If i just make it an alias people could just change the alias..
>
> whats this rootkits thing?
>
> /Steve
> ----- Original Message -----
> From: "David Blomberg" <dblomber@libertec.com>
> To: <security-discuss@linuxsecurity.com>
> Sent: Tuesday, November 19, 2002 5:32 PM
> Subject: Re: Making ps secure
>
>
> > Same thing makers of rootkits do change the way the apps operate (just
> > program in some sanity check prior to execution) alternatively make
> > aliases to the commands so that ps -auxf behaves like ps
> >
> > On Tue, 2002-11-19 at 15:17, Steven Adams wrote:
> > > Hi,
> > > I am running slackware linux and i notice that on freebsd and some
> other
> > > distros when u type ps auxf it only outputs the processes your running
> and
> > > not anyone else..
> > >
> > > I was wondering how they made it do this..
> > >
> > > Ive also noticed that in a users home dir .bash_history is owned by the
> > > user.. But if the user trys to remove it or chmod it to a diferent
> setting
> > > it says operation not permitted.
> > >
> > > Ive also seen this before
> > > When someone trys a normal ping.
> > >
> > > ping: socket: Operation not permitted
> > >
> > > How are theses things done and is there a site thats tells u in detail
> on
> > > how to make your system secure
> > >
> > > /Steve
> > >
> > > ------------------------------------------------------------------------
> > > To unsubscribe email security-discuss-request@linuxsecurity.com
> > > with "unsubscribe" in the subject of the message.
> > --
> > David Blomberg <dblomber@libertec.com>
> > Nihon Libertec
> > ------------------------------------------------------------------------
> > To unsubscribe email security-discuss-request@linuxsecurity.com
> > with "unsubscribe" in the subject of the message.
> >
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.

-- 
David Blomberg <dblomber@libertec.com>
Nihon Libertec
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.

Next message: Steven Adams: "Re: Making ps secure"
Previous message: Paulo Andre: "RE: Making ps secure"
In reply to: Steven Adams: "Re: Making ps secure"
Next in thread: S. Khademi: "vlan and setting of an ip address with mac address"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]