Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

To: Gavan Fantom <gavan%coolfactor.org@localhost>
Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
From: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Date: Fri, 12 Jan 2007 11:51:47 -0500

On Fri, 12 Jan 2007 16:37:30 +0000
Gavan Fantom <gavan%coolfactor.org@localhost> wrote:



> 
> If someone has got in and hidden themselves *properly*, then you will
> not discover this from within the system. A well-designed rootkit will
> operate at kernel level, and provide the illusion that everything is
> normal. That's not to say that all rootkits are well-designed, or even
> that there are many for NetBSD, but since undetectability is the
> primary design goal for a rootkit, this is a game that you're going
> to lose very quickly.
> 
To give one example, I heard of a back door in /sbin/init.  It hid via
a kernel hack -- if the i-node for init was opened by pid 1, it got the
bad guy's version; if it was opened by any other process, it got the
original one.  Run tripwire all you want; you won't find it.  If memory
serves correctly, this applied to opens for write, too, meaning that
you couldn't install a new one...  



                --Steve Bellovin, http://www.cs.columbia.edu/~smb

References:
- NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Water NB
- Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Andy Ruhl
- Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Steven M. Bellovin
- Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Andy Ruhl
- Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
  - From: Gavan Fantom

Prev by Date: Res: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Next by Date: Mesa-devel package
Previous by Thread: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Next by Thread: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Indexes:

Home | Main Index | Thread Index | Old Index