From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S265173AbTLFOhN (ORCPT ); Sat, 6 Dec 2003 09:37:13 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S265174AbTLFOhN (ORCPT ); Sat, 6 Dec 2003 09:37:13 -0500 Received: from relay1.miee.ru ([213.171.53.133]:13327 "EHLO gulipin.miee.ru") by vger.kernel.org with ESMTP id S265173AbTLFOhJ (ORCPT ); Sat, 6 Dec 2003 09:37:09 -0500 Date: Sat, 06 Dec 2003 16:45:54 +0300 Message-ID: <874qwehxf1.wl@drakkar.ibe.miee.ru> From: Samium Gromoff To: root@chaos.analogic.com CC: linux-kernel@vger.kernel.org Subject: Re: [OT] Rootkit queston User-Agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.6 Emacs/21.3 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 1 Dec 2003, Richard B. Johnson wrote: > You can check for a common 'root attack', if you have inetd, > by looking at the last few lines in /etc/inetd.conf. > It may have some access port added that allows anybody > who knows about it to log in as root from the network. > It will look something like this: > > # End of inetd.conf. > 4002 stream tcp nowait root /bin/bash -- > > In this case, port 4002 will allow access to a root shell > that has no terminal processing, but an attacker can use this > to get complete control of your system. FYI, this is a 5-year-old > attack, long obsolete if you have a "store-bought" distribution > more recent. How is it an attack? (in order to write to inetd.conf you need to be root already) And if it is, what does it accomplish? (writing a daemon listening on a $BELOVED_PORT port is trivial) regards, Samium Gromoff