-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just uploaded check-ps version 1.2 alpha 4 to the pub/word2x directory on mars.astra.co.uk. I have also supplied a signature for pgp 2.x and pgp 5 users. You can obtain the keys from the file in the same directory or by sending email to pgp@duncan.telstar.net (an automatic response robot, subject and message contents junked). The licence is GPL. The major features over 1.2alpha are + bug fixes (all known bugs are fairly minor) + configure fixes + kill scanning is now supported on linux. For those who do not know about check-ps it is a security a;arm that pretends to be httpd, possibly with a fake argument list (the name and argument list are configurable by minor source changes). It can be configured to kill or stop programs that are detected. If it understands the /proc format, which currently means you have things not sent to me or are using linux, then it will tell you all the information it can find. This understanding also enables it to wipe out the attackers connection most of the time, assuming you tell it to send signals. The kill scanning can easily be "ported" to other platforms by supplying a file called <system name>_killscan.h which #defines MAX_PROC to the largest possible process id+1. Once this file is writen the configure script will automatically sense its presence and turn on the kill scanning code. (If you do write such a header please email it to me). kill scanning tries all possible pids and uses the feature of most systems that does error checks, and thus allow the chekcing of pids, without sending any signal. This scanning is a lot will get people that hack the kernel code that generates /proc entries to leave their evil processes out. Kudos for the idea are due to Solar Designer. Once enbaled you can select killing scanning by feeding check_ps -p or - --killscan on the argument list. Please be aware that kill scanning, and check-ps in general, is still experimental. Assuming you want to receive reports via email when using the email option please change cfg_email.h; at present the reports get sent to dps@io.stargate.co.uk, which is probably not what you want. If anyone is caught I would appreciate a quick note though. Mirroring by others, including CERT, CIAC, etc is permitted. - -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems." -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNZRQq0ekq+3VXI08EQKZNgCg8KgIsEU9s4uL8W4xgOZn8FLol+oAoPLQ WV1kuzUIy5Dy/xCw0xIDsgBx =wWJA -----END PGP SIGNATURE-----