On Monday 03 June 2002 10:13 am, Tibbetts, Ric wrote: > >.On Monday 03 June 2002 01:38 am, James wrote: > >> I've been watching how this thread progressed. I've noticed two pieces > >> of FUD that keep appearing. > >> > >> 1. The assumption that a virus writer wouldn't know that he/she needs to > >> be root to do real damage and that he/she won't do just that. Don't > >> give yourself a sense of false security here. All they need to do is > >> have a line appended to Passwd and shadow (yes even MD5 is vulnerable > >> here, all it takes is some math.) and they have a new user that has UID > >> 0 and they don't even need to be root. Remember they are in your box. > >> Harden it all you want to the outside. Your vulnerability is when they > >> are inside. (Oh and we did this recently to a Linux box that the user > > > >[...] > > > >Well? Pray-tell, how does one go about appending a new user to Passwd > > with > > > >UID 0? Altering Passwd should itself require root priviledges - I cannot > >even get in to single user mode to do damage without my root passwd. I > >haven't had to do it for a long time, but I believe this is also true when > >booting up with a CD and doing "rescue". > > > >Nonetheless, I would love to know how one could do as you describe. Fill > > us > > >in please. > > Just to put my .02 in on that. > I'm not sure that a trick like that is something that should be broadcast > on a public list.
Whyever not? Such tricks are openly available on the public internet. In any case, such a trick would be good to know (for defensive purposes as well as nefarious). As indicated, it would appear to require access from the inside, as he indicates, meaning that the doer already has physical or even user access to the system. I gather from this that a standard Black Hat on the net would therefore first have to hack into your system from the internet and THEN create such an account...but they do that anyway usually - it is what a rootkit is for. This might actually be a useful tool for use when you forget your root password...and perhaps the procedure would suggest a fix to prevent it? praedor
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
