On Fri, 12 Jan 2007 16:37:30 +0000
Gavan Fantom <gavan@coolfactor.org> wrote:



> 
> If someone has got in and hidden themselves *properly*, then you will
> not discover this from within the system. A well-designed rootkit will
> operate at kernel level, and provide the illusion that everything is
> normal. That's not to say that all rootkits are well-designed, or even
> that there are many for NetBSD, but since undetectability is the
> primary design goal for a rootkit, this is a game that you're going
> to lose very quickly.
> 
To give one example, I heard of a back door in /sbin/init.  It hid via
a kernel hack -- if the i-node for init was opened by pid 1, it got the
bad guy's version; if it was opened by any other process, it got the
original one.  Run tripwire all you want; you won't find it.  If memory
serves correctly, this applied to opens for write, too, meaning that
you couldn't install a new one...  



		--Steve Bellovin, http://www.cs.columbia.edu/~smb