Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Gavan Fantom <>
From: Steven M. Bellovin <>
List: tech-pkg
Date: 01/12/2007 11:51:47
On Fri, 12 Jan 2007 16:37:30 +0000
Gavan Fantom <> wrote:

> If someone has got in and hidden themselves *properly*, then you will
> not discover this from within the system. A well-designed rootkit will
> operate at kernel level, and provide the illusion that everything is
> normal. That's not to say that all rootkits are well-designed, or even
> that there are many for NetBSD, but since undetectability is the
> primary design goal for a rootkit, this is a game that you're going
> to lose very quickly.
To give one example, I heard of a back door in /sbin/init.  It hid via
a kernel hack -- if the i-node for init was opened by pid 1, it got the
bad guy's version; if it was opened by any other process, it got the
original one.  Run tripwire all you want; you won't find it.  If memory
serves correctly, this applied to opens for write, too, meaning that
you couldn't install a new one...  

		--Steve Bellovin,