From owner-freebsd-questions Thu Jan 1 12:02:55 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA04407 for questions-outgoing; Thu, 1 Jan 1998 12:02:55 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA04402 for ; Thu, 1 Jan 1998 12:02:53 -0800 (PST) (envelope-from sreid@sea-to-sky.net) Received: from localhost (sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.7.3) with SMTP id MAA28824; Thu, 1 Jan 1998 12:03:14 -0800 Date: Thu, 1 Jan 1998 12:03:14 -0800 (PST) From: Steve Reid To: Michael Graffam cc: questions@FreeBSD.ORG Subject: Re: HACKED (again) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 1 Jan 1998 mgraffam@mhv.net wrote: > Upload an evil library, and set the environment that telnetd sets up > to call that lib rather than the ordinary stuffs, the evil lib gives > a root shell. Hmm.. this implies ELF, so I dont think FreeBSD would > be vulnerable to this attack: This did affect FreeBSD and most other Unixes. It was fixed a couple of years ago, I think sometime between the 2.0.5 and 2.1.0 releases. I wouldn't worry about it today. > Once root is attained, much cloaking can be done. One can modify the 'ps' > program to hide processes, along with modified netcat programs, etc. There > is a common package in the hacker world called the 'root kit' .. it is a > collection of modified utils that do exactly that: hide your existance. BSD-derived Unixes have features to prevent such cloaking, by preventing everyone (even root) from changing important data. These features have to be specifically enabled. In short: set the "immutable" flag on all important binaries and scripts (see "man chflags") and run the system with securelevel set non-zero. The immutable files then can't be modified, and the immutable flag can't be removed except by taking the system down to single-user mode.