Re: what is means ? + rootkits..
On Fri, 19 Apr 2002, Patrick Maheral wrote:
> I've heard of, but not confirmed the existence of, a root kit that is
> not detected by Tripwire and other intrusion detection software. It
> does this by keeping a backup of the original utility (eg. ls, ps, etc.)
> and then provides either it's own utility or the original depending on
> how it is opened (eg. if by ld.so, open trojan, else open original).
any root kit based upon kernel modules can do that. Search for "knark"
with Google...
> I think that as long as the source of the "open" system call can be
> determined, a carefully crafted root-kit might be able remain undetected
> as long as the system is running tainted code. I think the only way to
> be sure that a utility such as tripwire works is to run it on an
> untainted system (ie. boot from known good floppy/CD before running the
> software).
Yes, you are correct. To be safe, you need to keep the tripwire database
on a separate support which cannot be tampered with, and to check the
integrity of the system you should boot the system from secure media (e.g.
a boot CDROM you previously prepared), possibly in single user mode and
unconnected from the network.
> Am I just being paranoid, or is this sort of compromise really possible?
oh yes, it is possible.
Bye
Giacomo
--
_________________________________________________________________
Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________
OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
Tel.: +39 070 71180 248 Fax : +39 070 71180 222
_________________________________________________________________
"When the storms are raging around you, stay right where you are"
(Freddy Mercury)
_________________________________________________________________
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: