Re: chkrootkit and rkhunter are too old ?

[David Brodbeck <brodbd@u.washington.edu>]

On Jul 13, 2007, at 4:03 PM, Douglas Allan Tutty wrote:

On Fri, Jul 13, 2007 at 11:57:44AM -0700, David Brodbeck wrote:

* The exception is if tripwire or aid is used after booting from a  

read-only medium (such as a live CD) and uses checksums that are also  

retrieved from read-only media.  But few people do it this way  

because it's a lot of work to maintain and requires taking the  

machine down to do a check.

Is there no way for a 'secure' host to check the md5sums on a remote

host via scp or something?  The checksums could be on that secure host

(or on a CD in a drive on the secure host)?

Then you have to worry about sshd on the remote host being trojaned so it feeds you what you expect to see, not the actual data.

If you're assuming a machine might have been compromised, you can't trust *any* binaries on that machine, full stop.  You also can't trust its kernel, so running binaries off a CD without rebooting doesn't help, either -- you may only *think* it's running your binaries, while it's actually running a trojaned version.

This isn't to say that tools like tripwire don't have any value, but it's important to recognize their limitations.  If you run a local copy of tripwire on a machine, if it fails you know the machine is compromised.  But if it succeeds, you still can't be sure the machine is clean.

David Brodbeck

Information Technology Specialist 3

Computational Linguistics

University of Washington