[Nottingham] Paranoid already

Lee nottingham at mailman.lug.org.uk
Sun Aug 17 15:25:00 2003


Hmmmmmmmmm.............

> Or you could keep a renamed tar'ed duplicate of the netstat binary :P Would
> that work on a box that's had a rootkit installed?

depends, netstat like all exe's depends on lib's and Kernel/System
Calls, so if a hacker has altered the behaviour of these library, then
even running a untained execuatable isnt going to get you anywhere
(good)....

patching the kernel is even harder to detect....hohoho... and it's
possible to trojan a kernel, i did'nt say easy, but possible... if you
can write a kernel mode web server in linux, writing a security backdoor
is trivial.

if you do a strace on netstat you'll find...

open("/lib/libc.so.6", O_RDONLY)        = 3
open("/lib/libnss_files.so.2", O_RDONLY) = 4
open("/lib/libnss_nisplus.so.2", O_RDONLY) = 4
open("/lib/libnsl.so.1", O_RDONLY)      = 4
open("/lib/libnss_nis.so.2", O_RDONLY)  = 4
open("/lib/libnss_dns.so.2", O_RDONLY)  = 4
open("/lib/libresolv.so.2", O_RDONLY)   = 4

Now, I'm too sure how netstat works, without looking at the source code,
but if one of these library's are being used to enumerate the kernel's
ip/tcp/udp connection table, then it's only matter of patching the
relevant  kernel/library calls.......

hard...but not beyond the realms of science...

Laters,
Lee