Detecting a compromised system
I recently though about the least sophisticated way to introduce a
backdoor into a system if a already had a root shell. My naive
approach would be to
a) create a setuid root shell somewhere in the fs,
b) modify an existing setuid binary to grant me root access
(e.g. when invoced with a special parameter)
Since I don't consider myself particularly ingenious in that respect,
I expected that it would be pretty easy to spot these modifications.
So I did exactly the above and then tried to "detect" my changes.
I first looked for any additional packages that might help me with
this and installed (and configured to the best of my knowledge)
checksecurity and tiger.
I thought to remember that debian packages need to register any suid
binaries that they install, and I also read in the tiger documentation
that it verifies the checksums of installed system binaries. Thus I
expected that both my modifications would immediately show up.
However, nothing like that happened.
Now I'm wondering if there really is no easy way to detect such
changes, if I didn't find the right packages, or if I messed up the
Anyone able to help?
»Time flies like an arrow, fruit flies like a Banana.«
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C