Re: has chkrootkit caught a problem for anyone?

To: debian-isp@lists.debian.org
Subject: Re: has chkrootkit caught a problem for anyone?
From: wagnerc@plebeian.com (Chris Wagner)
Date: Sat, 17 Dec 2005 17:43:32 -0500
Message-id: <[🔎] 200512172313.jBHNDZg30505@mail.cinternet.net>

At 02:39 PM 12/16/2005 +1100, Craig Sanders wrote:
>one of the best tools for intrusion detection is tripwire. it's a minor
>PITA in that you have to remember to update tripwire's database (and
>type in your tripwire encryption password) every time you run an upgrade
>or install new software or libraries or edit any monitored config files
>but it WILL tell you when a file or program has been modified. well
>worth the effort to learn and use it.

Since u mentioned tripwire, I'll jump in here.  Tripwire, indeed any
on-system IDS, cannot be totally relied on to reveal an attacker.  Once a
box is compromised, every file on there, including the tripwire executable
and database, is no longer trustworthy.  A clever hacker just has to scan
for IDS's and root those as well.  It will, though, catch on to any script
kiddies which is mostly what we face anyway.  The truly determined hacker
almost can't be stopped.  To get truly trustworthy IDS it has to be
off-system, meaning CD-ROM executables and db's or remote inspection of the
physical disk. (the latter for 100% confidence) Ain't countermeasures fun? :)

--
REMEMBER THE WORLD TRADE CENTER         ---=< WTC 911 >=--
"...ne cede malis"

00000100

Reply to:

Follow-Ups:
- Re: has chkrootkit caught a problem for anyone?
  - From: tps@unslept.com (tps)

Prev by Date: More Yahoo Mail problems
Next by Date: Re: has chkrootkit caught a problem for anyone?
Previous by thread: Re: has chkrootkit caught a problem for anyone?
Next by thread: Re: has chkrootkit caught a problem for anyone?
Index(es):
- Date
- Thread