[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian audititing tool?

On Sat, Dec 23, 2000 at 10:35:26AM +1300, Carey Evans wrote:
> "Dan Hutchinson" <hutchinsond@zdnetonebox.com> writes:
> > Sorry I miss read your response.
> > Well you can get the source kernel and run it threw the fornesics program
> > then compile it possible.
> > Anyway it will help with open trojans and virus anyway.
> There's a couple of things that could go wrong here:
>  - gcc could be modified to include a backdoor in the kernel,
>    something like the way described here:
>                   http://www.acm.org/classics/sep95/
>  - The trojan could be a Linux kernel module that hides itself from
>    any system calls that might detect it, substituting innocuous code,
>    and different MD5 checksums.  You can easily find modules like this
>    quite easily on the web.

 That's why you run the checker from a known-good floppy or CD.  The bogus
kernel can't protect itself if it isn't running :)

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: