Re: /bin/login listening?
On 29 Jul 2007 13:47:30 GMT
Tyler Smith <tyler.smith@mail.mcgill.ca> wrote:
> On 2007-07-29, Douglas Allan Tutty <dtutty@porchlight.ca> wrote:
> > On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
> >> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
> >
> >> I ran rkhunter again, and then for good measure I aptitude --purged
> >> it, reinstalled, and ran again. And then I thought maybe the whole
> >> thing was compromised, so I purged it again, installed rkhunter 1.30
> >> from sourceforge, and ran again. And I also ran chkrootkit. In all
> >> cases they showed nothing happening, except for warning me that some
> >> of my /bin executables had been replaced by scripts -- stuff like
> >> egrep, fgrep etc.
> >>
> >> So perhaps it was just a false positive. I'm going to read up on
> >> security stuff now, so maybe I'll have some idea how to proceed the
> >> next time.
> >>
> >
> > Its tricky. If you have been rooted, you can't trust anything on the
> > system, including aptitude. As for reading, try the package harden-doc.
> >
>
> That's what I was thinking. But is there any way a rootkit could
> interfere with my downloading and compiling from source? I was hoping
> that doing things 'by hand' would limit the possibilities for
> compromising the result.
In theory, certainly. Your downloading agent is probably invoking
system libraries, which may be compromised and substituting bad
source. The system may not even be running your download agent at
all! Or it may subsequently lie to you and assure you that it's
running the downloaded app when it really isn't. Whether all this is
at all plausible is a different question.
> I will look at harden-doc. I'm working through the Linux how-to
> security quick start at the moment.
>
> Thanks,
>
> Tyler
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: