On Wed, Apr 05, 2000 at 02:00:39PM -0500, John W. Lemons III wrote:
> >Start over. You'll never know whether they've left a re-exploitable program
> on your
> >system somewhere. Have you checked for /usr/lib/math/fp/.setuid-root-shell?
>
> No
Good. Now check for all the other places it could be in :>
> but since the system has been compromised,
> who really knows? :/
I think you've got the idea exactly. As a general rule, once a bad guy
has had root they can do many many things to keep it or re-claim it.
Just a few exaples of the more obvious tricks:
1. Modify the rc start up scripts to create a setuid shell
somewhere.
2. Create a root cron that does the same.
3. Put an innocuous looking entry in inetd.conf which actually
starts a process as root for you.
4. Create an innoucuous looking user (nobody4 is a goodie) with a
uid of zero and a password you know.
5. Install an old version of sendmail.
6. Replace the passwd command with a wrapper that sends the username
and password to a remote address.
7. Modify your .profile to create a function for su that traps the
root password and emails it somewhere.
Regards.