[1942] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] check-ps 1.2 alpha 4 released

daemon@ATHENA.MIT.EDU (Duncan Simpson)
Sat Jun 27 01:42:44 1998

To: bugtraq@netspace.org
Cc: linux-security@redhat.com
Date: Sat, 27 Jun 1998 02:53:58 +0200
From: Duncan Simpson <dps@io.stargate.co.uk>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



I have just uploaded check-ps version 1.2 alpha 4 to the pub/word2x directory 
on mars.astra.co.uk. I have also supplied a signature for pgp 2.x and pgp 5 
users. You can obtain the keys from the file in the same directory or by 
sending email to pgp@duncan.telstar.net (an automatic response robot, subject 
and message contents junked). The licence is GPL.

The major features over 1.2alpha are
  + bug fixes (all known bugs are fairly minor)
  + configure fixes
  + kill scanning is now supported on linux.

For those who do not know about check-ps it is a security a;arm that pretends 
to be httpd, possibly with a fake argument list (the name and argument list 
are configurable by minor source changes). It can be configured to kill or 
stop programs that are detected. If it understands the /proc format, which 
currently means you have things not sent to me or are using linux, then it 
will tell you all the information it can find. This understanding also enables 
it to wipe out the attackers connection most of the time, assuming you tell it 
to send signals.

The kill scanning can easily be "ported" to other platforms by supplying a 
file called <system name>_killscan.h which #defines MAX_PROC to the largest 
possible process id+1. Once this file is writen the configure script will 
automatically sense its presence and turn on the kill scanning code. (If you 
do write such a header please email it to me).

kill scanning tries all possible pids and uses the feature of most systems 
that does error checks, and thus allow the chekcing of pids, without sending 
any signal. This scanning is a lot will get people that hack the kernel code 
that generates /proc entries to leave their evil processes out. Kudos for the 
idea are due to Solar Designer.

Once enbaled you can select killing scanning by feeding check_ps -p or 
- --killscan on the argument list. Please be aware that kill scanning, and 
check-ps in general, is still experimental.

Assuming you want to receive reports via email when using the email option 
please change cfg_email.h; at present the reports get sent to 
dps@io.stargate.co.uk, which is probably not what you want. If anyone is 
caught I would appreciate a quick note though.

Mirroring by others, including CERT, CIAC, etc is permitted.


- -- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBNZRQq0ekq+3VXI08EQKZNgCg8KgIsEU9s4uL8W4xgOZn8FLol+oAoPLQ
WV1kuzUIy5Dy/xCw0xIDsgBx
=wWJA
-----END PGP SIGNATURE-----

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post