> >> There is a tool floating around called TAP which is a kernel mod that > Lots of extraneous quoting deleted... > If you're hijacking *connections* isn't it much easier to just steal > the filehandles in the kernel? > > (Just go to a processes' file table and add that processes file * to > your open set, e.g., by implementing an new systemcall, interprocess > dup: int ipcdup(int pid, int fd)) > > Can't be more than four or five lines of kernel code. Which is easier for a 14 year old kid, running TAP and rootkit, or rewriting the kernel code? -- + alan@mid.net Network Operations Center (402)/472-0242, Fax (402)/472-0240 + + + + + + + + + + + + + + + + + + + ++ + + + + + + + + + + + + + + + + + + + + +============\\ "Small is the number of them that see with their own eyes + +MIDnet, Inc. \\____ and feel with their own hearts." - Albert Einstein +