Re: how to fix rootkit?

To: debian-security@lists.debian.org
Subject: Re: how to fix rootkit?
From: Mike Mestnik <cheako@mikemestnik.net>
Date: Wed, 08 Feb 2012 18:16:17 -0600
Message-id: <4F331051.7090500@mikemestnik.net>
In-reply-to: <201202091107.20847.russell@coker.com.au>
References: <4F3237FA.1050206@lab127.karelia.ru> <g5bb09xbl5.ln2@news.roaima.co.uk> <20120208153737.51a15c7b@nehalam.linuxnetplumber.net> <201202091107.20847.russell@coker.com.au>

On 02/08/12 18:07, Russell Coker wrote:
> On Thu, 9 Feb 2012, Stephen Hemminger <shemminger@vyatta.com> wrote:
>> The advice I heard is trust nothing (even reflash the BIOS).
> Do you know of any real-world exploits that involve replacing the BIOS?  It's 
> been theoretically possible for a long time but I haven't seen any references 
> to it being done.
Exploits that are theoretically possible are implemented by private 3rd
parties(and Hackers!).

I've a small collection of utilities I know that I'm the only one who
has a copy, though other tools that work the same way more then likely
exist.
> Also one thing to keep in mind is the apparent competence of the attackers.  
> If they didn't bother changing debsums then it's unlikely that they did any of 
> the other tricky things which have been discussed (such as trojaning the 
> kernel).
>
A RedHat expert can alter a running Debian kernel, but might miss debsum.

Reply to:

Follow-Ups:
- Re: how to fix rootkit?
  - From: Jason Fergus <leech@thefnords.org>

References:
- how to fix rootkit?
  - From: "volk@lab127.karelia.ru" <volk@lab127.karelia.ru>
- Re: how to fix rootkit?
  - From: Chris Davies <chris-usenet@roaima.co.uk>
- Re: how to fix rootkit?
  - From: Stephen Hemminger <shemminger@vyatta.com>
- Re: how to fix rootkit?
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: how to fix rootkit?
Next by Date: bios infection (was: how to fix rootkit?)
Previous by thread: Re: how to fix rootkit?
Next by thread: Re: how to fix rootkit?
Index(es):
- Date
- Thread