Re: RPM aware rootkits?
From: Anton Chuvakin (anton@chuvakin.org)Date: 02/14/02
- Previous message: Anton A. Chuvakin: "Re: RPM aware rootkits?"
- Maybe in reply to: Anton Chuvakin: "RPM aware rootkits?"
- Next in thread: Jeff Hedgpeth: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Feb 2002 14:56:24 -0500 (EST) From: Anton Chuvakin <anton@chuvakin.org> To: Bob Staaf <rstaaf@cfl.rr.com>
Hello Bob and all,
Thanks for all the nice comments!
>Just to throw something into this that I don't think anyone has mentioned
>yet. What if you skipped the rpm database all together and run the verify
>against the original RPM from RedHat? For example, "rpm -Vp somefile.rpm"?
Well, it makes sense to keep my original purpose in mind. I need the
functionality to be able to foil casual attackers against the honeypot
(where I replace /bin/rm with my varian of /bin/mv). I highly doubt
verification vs RedHat.com will be done by those people.
BTW, I am fully aware of LKM rootkits and researching using one of those
for the honeypot. However, I still try to stick with Honeynet project
philosophy of minimum modification to a system. There is a bunch of ways
to trojan Linux system up to and including writing a new OS that looks
just like Linux from the command prompt ;-)~
Best regards,
--
Anton A. Chuvakin, Ph.D.
http://www.chuvakin.org
http://www.info-secure.org
- Previous message: Anton A. Chuvakin: "Re: RPM aware rootkits?"
- Maybe in reply to: Anton Chuvakin: "RPM aware rootkits?"
- Next in thread: Jeff Hedgpeth: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
