Re: [OT] Rootkit queston

From: Samium Gromoff
Date: Sat Dec 06 2003 - 09:38:41 EST

Next message: Ivan Ristic: "Help with an idea for user impersionalisation kernel module"
Previous message: John Bradford: "Re: cdrecord hangs my computer"
In reply to: Albert Cahalan: "Re: [OT] Rootkit queston"
Next in thread: Måns Rullgård: "Re: [OT] Rootkit queston"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 1 Dec 2003, Richard B. Johnson wrote:
> You can check for a common 'root attack', if you have inetd,
> by looking at the last few lines in /etc/inetd.conf.
> It may have some access port added that allows anybody
> who knows about it to log in as root from the network.
> It will look something like this:
>
> # End of inetd.conf.
> 4002 stream tcp nowait root /bin/bash --
>
> In this case, port 4002 will allow access to a root shell
> that has no terminal processing, but an attacker can use this
> to get complete control of your system. FYI, this is a 5-year-old
> attack, long obsolete if you have a "store-bought" distribution
> more recent.

How is it an attack?
(in order to write to inetd.conf you need to be root already)

And if it is, what does it accomplish?
(writing a daemon listening on a $BELOVED_PORT port is trivial)

regards, Samium Gromoff
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ivan Ristic: "Help with an idea for user impersionalisation kernel module"
Previous message: John Bradford: "Re: cdrecord hangs my computer"
In reply to: Albert Cahalan: "Re: [OT] Rootkit queston"
Next in thread: Måns Rullgård: "Re: [OT] Rootkit queston"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]