Bugtraq mailing list archives
Re: Fake ps detection program (system V and /proc enabled
From: luyer () UCS UWA EDU AU (David Luyer)
Date: Wed, 17 Sep 1997 14:43:25 +0800
About (problems with) check_ps.c:
From what I can see, this doesn't seem to allow a process to start in the
delay between checking the output of 'ps' and checking /proc - the obvious race condition killing thousands of innocent processes. Much better would be... check /proc check ps note hidden processes and kill - if they have terminated they will be gone already and it won't matter if kill succeeds, log a message (a real hidden process; if it fails, it was just a process which died) note new processes and recheck /proc only for them - if they aren't there, recheck ps, if they are still there they are a bogus process (else they were a short-lived process) the only race condition now is PID re-use. Nicing yourself makes you stand out in the process list, which makes you vulnerable to kills. It would be better to just sit at a standard priority with a name like "in.telnetd" or so on...maybe a child process called "-tcsh" (or "-rc" for Plan9ish users:) and attached to a terminal :) Syslogging your pid on start is also a pretty silly idea for a program which is meant to hide - once someone has root, they will probably check out the logs to see _what_ you are logging; it's easy enough to check the ppid in ps list for the restarter/child process once one PID is known, too. Don't assume crackers are stupid, hey, they would have already got into root on your system before this program would be any use. David.
Current thread:
- CERT Advisory CA-97.23 - rdist Aleph One (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Java/JavaScript DoS Ian McKellar (Sep 16)
- Re: Fake ps detection program (system V and /proc enabled David Luyer (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Alex (Sep 16)
- [IPD] Internet Probe Droid balif (Sep 16)
- Re: [IPD] Internet Probe Droid Keith A. Watson (Sep 18)
- Instresting practises of Oracle [Oracle Webserver] hurtta+zz () OZONE FMI FI (Sep 18)
- Redir games with ARP and ICMP Yuri Volobuev (Sep 19)
- Re: Redir games with ARP and ICMP Alan Cox (Sep 19)
- Re: Redir games with ARP and ICMP Ulrich Flegel (Sep 20)
- Blind Spoofing System Crasher (Sep 20)
- SunOS4.1.X sockopt panic HAKNER JEFF (Sep 20)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)