Re: RPM aware rootkits?
From: Michal Zalewski (lcamtuf@coredump.cx)Date: 02/14/02
- Previous message: Jose Nazario: "Re: RPM aware rootkits?"
- In reply to: Anton Chuvakin: "RPM aware rootkits?"
- Next in thread: Anton Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Jose Nazario: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Feb 2002 21:59:13 -0500 (EST) From: Michal Zalewski <lcamtuf@coredump.cx> To: Anton Chuvakin <anton@chuvakin.org>
On Tue, 12 Feb 2002, Anton Chuvakin wrote:
> Do you know any of the RPM-aware rootkits for Linux which will not be
> detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm
> rather to trojaned rpm binary, but what the heck - whatever will do.
All rootkits that are stealth - i.e. modify kernel or libraries to return
original contents on open() but new contents on exec*() - are
automatically "RPM-aware". No reason to trust this mechanism more than any
other (tripwire or such).
-- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
- Previous message: Jose Nazario: "Re: RPM aware rootkits?"
- In reply to: Anton Chuvakin: "RPM aware rootkits?"
- Next in thread: Anton Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Jose Nazario: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
