Re: [OT] Rootkit queston

From: Måns Rullgård
Date: Sat Dec 06 2003 - 10:03:34 EST

Samium Gromoff <deepfire@xxxxxxxxxxx> writes:

>> You can check for a common 'root attack', if you have inetd,
>> by looking at the last few lines in /etc/inetd.conf.
>> It may have some access port added that allows anybody
>> who knows about it to log in as root from the network.
>> It will look something like this:
>> # End of inetd.conf.
>> 4002 stream tcp nowait root /bin/bash --
>> In this case, port 4002 will allow access to a root shell
>> that has no terminal processing, but an attacker can use this
>> to get complete control of your system. FYI, this is a 5-year-old
>> attack, long obsolete if you have a "store-bought" distribution
>> more recent.
> How is it an attack?
> (in order to write to inetd.conf you need to be root already)
> And if it is, what does it accomplish?
> (writing a daemon listening on a $BELOVED_PORT port is trivial)

Suppose you found a bug in a web server that would make the server
append arbitrary data to existing files. Adding that line to
inetd.conf would be one way to use that bug to gain full control over
the machine.

Måns Rullgård

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at