Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83 (MC840302); site boring.UUCP Path: utzoo!watmath!clyde!cbosgd!ihnp4!mhuxn!mhuxb!mhuxr!ulysses!allegra!bellcore!decvax!genrad!panda!talcott!harvard!seismo!mcvax!boring!jack From: jack@boring.UUCP Newsgroups: net.unix-wizards Subject: Re: Finding setuid programs Message-ID: <6310@boring.UUCP> Date: Tue, 5-Feb-85 08:14:13 EST Article-I.D.: boring.6310 Posted: Tue Feb 5 08:14:13 1985 Date-Received: Fri, 8-Feb-85 03:23:48 EST References: <7968@brl-tgr.ARPA> Reply-To: jack@boring.UUCP (Jack Jansen) Organization: CWI, Amsterdam Lines: 17 Summary: Apparently-To: rnews@mcvax.LOCAL If you want to look for SUID programs, you'd better make sure that the machine is empty. I wrote a program once that was completely unfindable (I won't tell the details, send me mail as 'root', and I'll tell), and re-generated a copy of itself everytime it saw that the binary was deleted. The only way to stop it was to bring the whole system down, search for it (which was also made difficult, since find wouldn't find it), and delete it. I think that the previous comment about re-generating everything from scratch is probably correct. Even if the intruder doesn't modify any standard utilities, you could have a hard time catching him. -- Jack Jansen, {decvax|philabs|seismo}!mcvax!jack Notice new, improved, faster address ^^^^^