Re: RPM aware rootkits?
From: Jose Nazario (jose@biocserver.BIOC.cwru.edu)Date: 02/14/02
- Previous message: Tim Lawless: "Re: RPM aware rootkits?"
- In reply to: Seth Arnold: "Re: RPM aware rootkits?"
- Next in thread: Anton A. Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Chris Green: "Re: RPM aware rootkits?"
- Reply: Anton A. Chuvakin: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Feb 2002 19:27:17 -0500 (EST) From: Jose Nazario <jose@biocserver.BIOC.cwru.edu> To: Seth Arnold <sarnold@wirex.com>
On Wed, 13 Feb 2002, Seth Arnold wrote:
> If this is for one of your own machines, wouldn't it be far simpler to
> replace rpm's --verify handler with a function that always returns
> "this package looks fine" ?
no, it wouldn't. i used to think this, too. however, even on your unhaked
redhat boxes that you use a few MD5 sums come up missing, cuz they're
volitile or config files. ie sendmail.cf. an attacker would notice that
NOTHING gets noticed and hence would become suspicious.
<laughs> ok, smart attackers, you know, that rumored kind. </seen too many
script kiddies>
i whipped up a small tool to do this, modify an RPM database. just peruse
the RPM API and make a small app to do it. pretty simple to do, really.
alternatively, use a LRK4 style config file to tell rpm what files to
ignore for various items (ie MD5 sums).
____________________________
jose nazario jose@cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
- Previous message: Tim Lawless: "Re: RPM aware rootkits?"
- In reply to: Seth Arnold: "Re: RPM aware rootkits?"
- Next in thread: Anton A. Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Chris Green: "Re: RPM aware rootkits?"
- Reply: Anton A. Chuvakin: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
