Re: [OT] Rootkit queston
From: Samium Gromoff
Date: Sat Dec 06 2003 - 09:38:41 EST
On Mon, 1 Dec 2003, Richard B. Johnson wrote:
> You can check for a common 'root attack', if you have inetd,
> by looking at the last few lines in /etc/inetd.conf.
> It may have some access port added that allows anybody
> who knows about it to log in as root from the network.
> It will look something like this:
> # End of inetd.conf.
> 4002 stream tcp nowait root /bin/bash --
> In this case, port 4002 will allow access to a root shell
> that has no terminal processing, but an attacker can use this
> to get complete control of your system. FYI, this is a 5-year-old
> attack, long obsolete if you have a "store-bought" distribution
> more recent.
How is it an attack?
(in order to write to inetd.conf you need to be root already)
And if it is, what does it accomplish?
(writing a daemon listening on a $BELOVED_PORT port is trivial)
regards, Samium Gromoff
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/