Re: [SCARED] Is ext2 unreliable?

From: Dr. Kelsey Hudson (kernel@blackhole.compendium-tech.com)
Date: Thu May 18 2000 - 19:27:30 EST

Next message: Setiaji life Kurniawan: "My make menuconf. error"
Previous message: Andries Brouwer: "Re: Linux 2.3.99pre9-2 JOB list"
In reply to: Michael H. Warfield: "Re: [SCARED] Is ext2 unreliable?"
Next in thread: Guus Sliepen: "Re: [SCARED] Is ext2 unreliable?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> various means. Often, they will also install a "root kit" which hides the
> presence of an intrusion by providing fake copies of netstat, ps, du, df,
> ls, sum, md5sum, and other utilities so that when you check the system
> things "should" seem normal, when they are not. When a root kit is
> in place, you won't see the backdoor processes because "ps" will filter
> them out and doing an md5sum on ls will return the correct result because
> the trojan'ed md5sum will report back the reference copy, not the trojaned
> file. You won't notice backdoor ports opened and listening, because netstat
> is not reporting them. It's HIGHLY UNLIKELY that you would notice that
> a connection FROM port 5000 to your ftp server gives you an immediate root
> shell, while connections from any other port gives you a normal ftp prompt.
> In other words, when they get in, they hide REAL GOOD, but not perfect.

On a side note, one of the Solaris machines I administered had a hole in
the RPC daemon, which allowed an intruder to get in, install the root kit,
and do all sorts of neat things. So, instead of getting pissed off and
reinstalling the system from scratch, I decided I would re-doctor the
doctored versions of these programs, then add a logging facility to each
of them. Shortly, I was able to determine what the user had done, and
where he was connecting from, and had a bunch of nifty logs to help in
prosecuting his ass.

Unfortunately, this machine was compromised again by another user (.mil
domains are extremely high risk I'm afraid) and all the data on the
machine (including sources to the hacked programs) was lost, so I can't
provide them...
However, it does look like there was an intruder, but like it has been
said before, after the machine was brought into singleuser mode, it should
have closed all file connections.

Well, good luck in getting your problem solved, and if I can be of any
help, let me know.

Kelsey Hudson khudson@ctica.com
Software Engineer
Compendium Technologies, Inc (619) 725-0771
---------------------------------------------------------------------------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Setiaji life Kurniawan: "My make menuconf. error"
Previous message: Andries Brouwer: "Re: Linux 2.3.99pre9-2 JOB list"
In reply to: Michael H. Warfield: "Re: [SCARED] Is ext2 unreliable?"
Next in thread: Guus Sliepen: "Re: [SCARED] Is ext2 unreliable?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue May 23 2000 - 21:00:16 EST