[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Detecting a compromised system


I recently though about the least sophisticated way to introduce a
backdoor into a system if a already had a root shell. My naive
approach would be to

 a) create a setuid root shell somewhere in the fs,


 b) modify an existing setuid binary to grant me root access
    (e.g. when invoced with a special parameter)

Since I don't consider myself particularly ingenious in that respect,
I expected that it would be pretty easy to spot these modifications.
So I did exactly the above and then tried to "detect" my changes.

I first looked for any additional packages that might help me with
this and installed (and configured to the best of my knowledge)
checksecurity and tiger.

I thought to remember that debian packages need to register any suid
binaries that they install, and I also read in the tiger documentation
that it verifies the checksums of installed system binaries. Thus I
expected that both my modifications would immediately show up.
However, nothing like that happened.

Now I'm wondering if there really is no easy way to detect such
changes, if I didn't find the right packages, or if I messed up the

Anyone able to help?



 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

Reply to: