From owner-freebsd-questions  Thu Jan  1 12:02:55 1998
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id MAA04407
          for questions-outgoing; Thu, 1 Jan 1998 12:02:55 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA04402
          for <questions@FreeBSD.ORG>; Thu, 1 Jan 1998 12:02:53 -0800 (PST)
          (envelope-from sreid@sea-to-sky.net)
Received: from localhost (sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.7.3) with SMTP id MAA28824; Thu, 1 Jan 1998 12:03:14 -0800
Date: Thu, 1 Jan 1998 12:03:14 -0800 (PST)
From: Steve Reid <sreid@sea-to-sky.net>
To: Michael Graffam <mgraffam@mhv.net>
cc: questions@FreeBSD.ORG
Subject: Re: HACKED (again)
In-Reply-To: <Pine.LNX.3.96.980101000908.22306A-100000@localhost>
Message-ID: <Pine.LNX.3.95.980101114507.28747C-100000@alpha.sea-to-sky.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 1 Jan 1998 mgraffam@mhv.net wrote:
> Upload an evil library, and set the environment that telnetd sets up
> to call that lib rather than the ordinary stuffs, the evil lib gives 
> a root shell. Hmm.. this implies ELF, so I dont think FreeBSD would
> be vulnerable to this attack:

This did affect FreeBSD and most other Unixes. It was fixed a couple of
years ago, I think sometime between the 2.0.5 and 2.1.0 releases. I
wouldn't worry about it today. 

> Once root is attained, much cloaking can be done. One can modify the 'ps'
> program to hide processes, along with modified netcat programs, etc. There
> is a common package in the hacker world called the 'root kit' .. it is a
> collection of modified utils that do exactly that: hide your existance.

BSD-derived Unixes have features to prevent such cloaking, by preventing
everyone (even root) from changing important data. These features have
to be specifically enabled. In short: set the "immutable" flag on all
important binaries and scripts (see "man chflags") and run the system
with securelevel set non-zero. The immutable files then can't be
modified, and the immutable flag can't be removed except by taking the
system down to single-user mode.