[1778] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Re: Re: Bind Overrun Bug and Linux (fwd)

daemon@ATHENA.MIT.EDU (Adam Spiers)
Mon May 25 03:23:44 1998

Date: Mon, 25 May 1998 01:14:50 +0000
From: Adam Spiers <adam@thelonious.new.ox.ac.uk>
In-reply-to: <Pine.LNX.3.95.980523124227.14450A-100000@lexicom.lexicom.ab.ca>;
 from Shaun on Sat, May 23, 1998 at 12:51:38PM -0600
To: linux-security@redhat.com
Reply-to: Adam Spiers <adam.spiers@new.ox.ac.uk>
Mail-Followup-To: linux-security@redhat.com
Resent-From: linux-security@redhat.com

Shaun (shaun@lexicom.ab.ca) wrote:
>  For example, LRK config defaults:
> 	/dev/ttyp*
> These files are quite noticable, as *no* files in /dev/ should be of type
> f (regular file) except MAKEDEV.  They should be of only type: c/b/s.  A
> simple 'find /dev -type f' will report all of the regular file types.

On the other hand, don't presume that your attacker is totally inept
and will therefore stay with the LRK defaults; I have seen a case
where the config files were changed to /usr/lib/lib[pqrs].o for
example.

I'm sure that even lame r00tsh3l1 crackers are capable of thinking of
decent hiding places :-)

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post