[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Trinoo DDoS server in init

Subject: Re: [cobalt-users] Trinoo DDoS server in init
From: flash22@xxxxxxx
Date: Sun Feb 25 23:12:05 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Thu, 15 Feb 2001, Craig Napier wrote:

> >So which is the real init?
As a stray note here, here is where the kernel tries to find init when
booting (provided you didn't tell it specificlly to look elsewhere via
boot time command)

        execve("/sbin/init",argv_init,envp_init);
        execve("/etc/init",argv_init,envp_init);
        execve("/bin/init",argv_init,envp_init);
        execve("/bin/sh",argv_init,envp_init);
        panic("No init found.  Try passing init= option to kernel.");

Note that it tries to run them *all* , the real init is the one that
gets the first process id, the rest will quit when they discover they
aren't PID 1 , but this is only if they are really init's ;)

(Eg this is a potential hole, since you can make the kernel execute a
bogus init if you can manage to place it in a macic place)

Obviously, /sbin,/bin,/etc must be writable *ONLY* by root to prevent this

gsh

References:
- [cobalt-users] Trinoo DDoS server in init
  - From: Craig Napier

Prev by Date: [cobalt-users] Anonymous FTP attempts
Next by Date: [cobalt-users] IMPORTANT - POSSIBLE HACKS WITH PATCHES!!
Previous by thread: [cobalt-users] Trinoo DDoS server in init
Next by thread: RE: [cobalt-users] Trinoo DDoS server in init

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index