Re: [OT] Rootkit queston

From: Christian
Date: Sat Dec 06 2003 - 11:08:20 EST

Samium Gromoff wrote:
On Mon, 1 Dec 2003, Richard B. Johnson wrote:

You can check for a common 'root attack', if you have inetd,
by looking at the last few lines in /etc/inetd.conf.
It may have some access port added that allows anybody
who knows about it to log in as root from the network.
It will look something like this:

# End of inetd.conf.
4002 stream tcp nowait root /bin/bash --


How is it an attack?
(in order to write to inetd.conf you need to be root already)

he probably meant "rootkit" instead of "root attack" and as the subject reveals, that's what the thread was all about.

BOFH excuse #13:

we're waiting for [the phone company] to fix that line
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at