-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 04 June 2002 10:13 am, James wrote:
> It's actually a root kit a friend of mine "lent" me. He wrote it > originally for 386BSD because when they were "testing" it they kept > screwing up the login etc. and needed a way to get into the boxes. > Since the box had a user accessable compiler I just compiled it, then > ran ./login it said "what do you want" I typed root it sayed "go > away" and gave me root. I then created user root2 with UID 0 (by the > way bastille used to be able to create a second "root" for you.) and > was able to use it to login as root. 4 hours later we had all the > data off of the box. (passwd and shadow had gotten really fuzzed up, > over time, how I don't know but it was.) that needed to be off ie new > backup, and we commenced building a new box to replace this one. > > As for how to get root on a box. Reboot, then at the lilo prompt > type linux(or a kernel name) -s ... most don't password protect this > one. So it drops right to root, in single user mode. Bastille Linux stops this. > As for not needing a patch but rather a plan. I'm talking about > things like, how do you get a username and password for a box. Call > someone and ask (that's how Minik did it.) or turn over their > keyboard... and read all the sticky notes. Cause once they are on > the box in any form .... the box is vulnerable. E-mail is also a > great source of usernames. Just use thier e-mail addy + a dictionary > attack (start with cursewords and human names) ..... you've got it. > The problem with viruses I still contend, and may be wrong. Is that > the vulnerablity is because we can only protect from a frontal > attack. This is the plan we need, how to protect from an internal > attack. How to make people use real passwords. (But ^rt(K21J is too > hard to type... can't I just use my dogs name?) and for me... stop > giving the "black hats" the tools they need already on my box. There are excellent suggestions here: <http://news.bbc.co.uk/hi/english/sci/tech/newsid_1977000/1977405.stm> Completely random password generators are a bad idea, but a former ISP of mine had an ingenious package which produced passwords based on the frequencies of digraphs and trigraphs (in English) interspersed with _unlikely_ single letters. This produced memorable, speakable passwords which were also nonsense (and could be trivially altered with symbols or digits). The following seems to do roughly the same thing: <http://www.multicians.org/thvv/gpw.html> Alastair - -- Alastair Scott (London, United Kingdom) http://www.unmetered.org.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8/IusCv59vFiSU4YRAtGNAKCp7JTSY5RT+fmskSJLl0mPwXpG9wCeMW+u bBRBUd0oq/R7ifb9kq3CmG8= =8rvO -----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com