[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: what is means ? + rootkits..

On Fri, Apr 19, 2002 at 02:47:08PM +0200, Jan Johansson wrote:
> > Why some people says that eg. tripwire doesn't discover it ?
> 
> Then they dont know what they are saying, i would say that Tripwire /
> AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that
> your database is current, and is stored in a tamper-proof location...
> and ofcource you actually use and update teh IDS database.

I've heard of, but not confirmed the existence of, a root kit that is
not detected by Tripwire and other intrusion detection software.  It
does this by keeping a backup of the original utility (eg. ls, ps, etc.)
and then provides either it's own utility or the original depending on
how it is opened (eg. if by ld.so, open trojan, else open original).

I think that as long as the source of the "open" system call can be
determined, a carefully crafted root-kit might be able remain undetected
as long as the system is running tainted code.  I think the only way to
be sure that a utility such as tripwire works is to run it on an
untainted system (ie. boot from known good floppy/CD before running the
software).

Am I just being paranoid, or is this sort of compromise really possible?

Patrick


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: