Re: LKM Trojan installed
From: Brian Hatch (focus-linux@ifokr.org)
Date: 02/08/03
- Previous message: Craig Holmes: "Re: LKM Trojan installed"
- In reply to: terry white: "Re: LKM Trojan installed"
- Next in thread: Jay Beale: "Re: LKM Trojan installed"
- Reply: Jay Beale: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 8 Feb 2003 12:24:34 -0800 From: Brian Hatch <focus-linux@ifokr.org> To: terry white <twhite@aniota.com>
> ... i created a directory, copied 'ps' et al to it, and used chattr on
> them. having a known good binary outside $PATH is something of a comfort
> ...
Of course, if the cracker has gotten root, they can chattr it right
back. In fact, the first thing I'd do as an attacker is to find all
chattr'd files on the filesystem since they're probably important.
The only way to be absolutely sure you see the real state of the
filesystem is to boot off of pristine read-only media. When you've
verified all the binaries and checked for any unusual startup actions
(/etc/rc?.d, /etc/inittab, initrd device, etc) which could modify things
then you can trust your ps commands -- as long as the attacker doesn't
come in and modify things again. (You should work without the network
plugged in until you're sure things are sane.)
-- Brian Hatch Dijon vu: the same Systems and mustard as before. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
- application/pgp-signature attachment: stored
- Next message: Shawn M. Jones: "Re: LKM Trojan installed"
- Previous message: Craig Holmes: "Re: LKM Trojan installed"
- In reply to: terry white: "Re: LKM Trojan installed"
- Next in thread: Jay Beale: "Re: LKM Trojan installed"
- Reply: Jay Beale: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
