Finding setuid programs
jack at boring.UUCP
jack at boring.UUCP
Tue Feb 5 23:14:13 AEST 1985
If you want to look for SUID programs, you'd better make
sure that the machine is empty.
I wrote a program once that was completely unfindable (I won't
tell the details, send me mail as 'root', and I'll tell),
and re-generated a copy of itself everytime it saw that
the binary was deleted.
The only way to stop it was to bring the whole system
down, search for it (which was also made difficult, since
find wouldn't find it), and delete it.
I think that the previous comment about re-generating
everything from scratch is probably correct. Even if the
intruder doesn't modify any standard utilities, you could
have a hard time catching him.
--
Jack Jansen, {decvax|philabs|seismo}!mcvax!jack
Notice new, improved, faster address ^^^^^
More information about the Comp.unix.wizards
mailing list