Date: Fri, 20 Jul 2001 11:57:51 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: Tom <tom@uniserve.com> Cc: "Chad R. Larson" <chad@DCFinc.com>, admin@kremilek.gyrec.cz, freebsd-stable@FreeBSD.ORG Subject: Re: probably remote exploit Message-ID: <Pine.BSF.4.21.0107201151110.17247-100000@snafu.adept.org> In-Reply-To: <Pine.BSF.4.10.10107201124410.70379-100000@athena.uniserve.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 20 Jul 2001, Tom wrote: > But if a backdoor is installed, you can't trust cvsup, or make either. > Any binary could have been tampered with. For instance, I would make a > backdoor make that would detect that an installworld is underway, and > always make sure that a backdoored copy of of "login" and another copy of > "make". What? Everyone can't just do a quick check against the saved tripwire checksums on CD-R? ;) Seriously. While checksuming an entire system can be impractical, keeping checksums for a barebones set of administrative tools can be a lifesaver. I'd be curious to know if a quick search for "..." and other attempts at hiding directories turned up anything. Honeypots I've played with show an affinity to "..." for hiding cracker tools. Not too sure why, it's easily visible. Also, per his original post - if they obtained root access via a exploit, they would not have to guess the users 8-character password. Once root, they could set the password to anything they want and/or bruteforce the encrypted string in master.passwd. Later, -Mike -- 2^n eyes are better than 2. Join the logwatchers community today. http://www.adept.org/mailinglists.html#logwatchers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107201151110.17247-100000>