Detecting a compromised system

To: debian-user@lists.debian.org
Subject: Detecting a compromised system
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Sun, 15 Feb 2009 14:06:29 -0500
Message-id: <[🔎] 87bpt3r03u.fsf@nokile.rath.org>
Mail-followup-to: debian-user@lists.debian.org

Hello,

I recently though about the least sophisticated way to introduce a
backdoor into a system if a already had a root shell. My naive
approach would be to

 a) create a setuid root shell somewhere in the fs,

or

 b) modify an existing setuid binary to grant me root access
    (e.g. when invoced with a special parameter)
    

Since I don't consider myself particularly ingenious in that respect,
I expected that it would be pretty easy to spot these modifications.
So I did exactly the above and then tried to "detect" my changes.

I first looked for any additional packages that might help me with
this and installed (and configured to the best of my knowledge)
checksecurity and tiger.

I thought to remember that debian packages need to register any suid
binaries that they install, and I also read in the tiger documentation
that it verifies the checksums of installed system binaries. Thus I
expected that both my modifications would immediately show up.
However, nothing like that happened.

Now I'm wondering if there really is no easy way to detect such
changes, if I didn't find the right packages, or if I messed up the
configuration.

Anyone able to help?


Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

Reply to:

Follow-Ups:
- Re: Detecting a compromised system
  - From: Micha Feigin <michf@post.tau.ac.il>
- Re: Detecting a compromised system
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>

Prev by Date: Happy lenny, everyone!
Next by Date: Re: Lenny?
Previous by thread: Re: Happy lenny, everyone!
Next by thread: Re: Detecting a compromised system
Index(es):
- Date
- Thread