From: mru@kth.se (Måns Rullgård)
To: linux-kernel@vger.kernel.org
Subject: Re: [OT] Rootkit queston
Date: Sat, 06 Dec 2003 16:01:20 +0100 [thread overview]
Message-ID: <yw1x65gu7zy7.fsf@kth.se> (raw)
In-Reply-To: 874qwehxf1.wl@drakkar.ibe.miee.ru
Samium Gromoff <deepfire@ibe.miee.ru> writes:
>> You can check for a common 'root attack', if you have inetd,
>> by looking at the last few lines in /etc/inetd.conf.
>> It may have some access port added that allows anybody
>> who knows about it to log in as root from the network.
>> It will look something like this:
>>
>> # End of inetd.conf.
>> 4002 stream tcp nowait root /bin/bash --
>>
>> In this case, port 4002 will allow access to a root shell
>> that has no terminal processing, but an attacker can use this
>> to get complete control of your system. FYI, this is a 5-year-old
>> attack, long obsolete if you have a "store-bought" distribution
>> more recent.
>
> How is it an attack?
> (in order to write to inetd.conf you need to be root already)
>
> And if it is, what does it accomplish?
> (writing a daemon listening on a $BELOVED_PORT port is trivial)
Suppose you found a bug in a web server that would make the server
append arbitrary data to existing files. Adding that line to
inetd.conf would be one way to use that bug to gain full control over
the machine.
--
Måns Rullgård
mru@kth.se
next prev parent reply other threads:[~2003-12-06 15:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-06 13:45 [OT] Rootkit queston Samium Gromoff
2003-12-06 15:01 ` Måns Rullgård [this message]
2003-12-06 15:10 ` Doug McNaught
2003-12-06 15:07 ` Christian
2003-12-08 13:49 ` Richard B. Johnson
-- strict thread matches above, loose matches on Subject: below --
2003-12-02 21:24 Albert Cahalan
2003-12-01 21:11 Markus Hästbacka
2003-12-01 22:19 ` Richard B. Johnson
2003-12-01 23:36 ` Måns Rullgård
2003-12-01 23:47 ` Mike Fedyk
2003-12-01 22:48 ` Bernd Eckenfels
2003-12-05 17:29 ` dean gaudet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yw1x65gu7zy7.fsf@kth.se \
--to=mru@kth.se \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox