Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Gavan Fantom <gavan@coolfactor.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 01/12/2007 11:51:47
On Fri, 12 Jan 2007 16:37:30 +0000
Gavan Fantom <gavan@coolfactor.org> wrote:
>
> If someone has got in and hidden themselves *properly*, then you will
> not discover this from within the system. A well-designed rootkit will
> operate at kernel level, and provide the illusion that everything is
> normal. That's not to say that all rootkits are well-designed, or even
> that there are many for NetBSD, but since undetectability is the
> primary design goal for a rootkit, this is a game that you're going
> to lose very quickly.
>
To give one example, I heard of a back door in /sbin/init. It hid via
a kernel hack -- if the i-node for init was opened by pid 1, it got the
bad guy's version; if it was opened by any other process, it got the
original one. Run tripwire all you want; you won't find it. If memory
serves correctly, this applied to opens for write, too, meaning that
you couldn't install a new one...
--Steve Bellovin, http://www.cs.columbia.edu/~smb