haynes%ucsce.ucscc.UUCP%Berkeley@ucscc.UUCP (02/03/85)
The best way to do this is with a program that runs thru the inode table rather than going down the directory tree. An easy way to do this is to hack up the quot program, if you have source. At least that's what I did for 4.2. ucbvax!ucscc!haynes
jack@boring.UUCP (02/05/85)
If you want to look for SUID programs, you'd better make
sure that the machine is empty.
I wrote a program once that was completely unfindable (I won't
tell the details, send me mail as 'root', and I'll tell),
and re-generated a copy of itself everytime it saw that
the binary was deleted.
The only way to stop it was to bring the whole system
down, search for it (which was also made difficult, since
find wouldn't find it), and delete it.
I think that the previous comment about re-generating
everything from scratch is probably correct. Even if the
intruder doesn't modify any standard utilities, you could
have a hard time catching him.
--
Jack Jansen, {decvax|philabs|seismo}!mcvax!jack
Notice new, improved, faster address ^^^^^Ron Natalie <ron@BRL-TGR> (02/06/85)
I assumme the unkillable program mearly had a copy of itself open that it could keep writing itself out. The reason you have to go back to the distribution tapes is evidenced by something that happened to us once. One of our nefarious users modified /lib/crt0 to exec a file called ^V in the current directory. I was only a few extra bytes and all he had to do was wait for it to show up in setuid programs again. -Ron
smk@axiom.UUCP (Steven M. Kramer) (02/08/85)
Everyone knows that you find setuid programs by:
ncheck -s
--
--steve kramer
{allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!axiom!smk (UUCP)
linus!axiom!smk@mitre-bedford (MIL)