Date: Thu, 1 Jan 1998 12:03:14 -0800 (PST) From: Steve Reid <sreid@sea-to-sky.net> To: Michael Graffam <mgraffam@mhv.net> Cc: questions@FreeBSD.ORG Subject: Re: HACKED (again) Message-ID: <Pine.LNX.3.95.980101114507.28747C-100000@alpha.sea-to-sky.net> In-Reply-To: <Pine.LNX.3.96.980101000908.22306A-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 1 Jan 1998 mgraffam@mhv.net wrote: > Upload an evil library, and set the environment that telnetd sets up > to call that lib rather than the ordinary stuffs, the evil lib gives > a root shell. Hmm.. this implies ELF, so I dont think FreeBSD would > be vulnerable to this attack: This did affect FreeBSD and most other Unixes. It was fixed a couple of years ago, I think sometime between the 2.0.5 and 2.1.0 releases. I wouldn't worry about it today. > Once root is attained, much cloaking can be done. One can modify the 'ps' > program to hide processes, along with modified netcat programs, etc. There > is a common package in the hacker world called the 'root kit' .. it is a > collection of modified utils that do exactly that: hide your existance. BSD-derived Unixes have features to prevent such cloaking, by preventing everyone (even root) from changing important data. These features have to be specifically enabled. In short: set the "immutable" flag on all important binaries and scripts (see "man chflags") and run the system with securelevel set non-zero. The immutable files then can't be modified, and the immutable flag can't be removed except by taking the system down to single-user mode.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.95.980101114507.28747C-100000>