Re: LKM Trojan installed

From: Jay Beale (jay@bastille-linux.org)
Date: 02/11/03

  • Next message: Matthaeus Wander: "Re: openSSL Key generation" 
    Date: Tue, 11 Feb 2003 08:53:08 -0800
From: Jay Beale <jay@bastille-linux.org>
To: Brian Hatch <focus-linux@ifokr.org>

    In the wise words of Brian Hatch:

    >
    >
    > > ... i created a directory, copied 'ps' et al to it, and used chattr on
    > > them. having a known good binary outside $PATH is something of a comfort
    > > ...
    >
    > Of course, if the cracker has gotten root, they can chattr it right
    > back. In fact, the first thing I'd do as an attacker is to find all
    > chattr'd files on the filesystem since they're probably important.

    Errmmmm...not to be a niggling b*stard, but:

      As long as you don't put all your faith in chattr, it's still a nice
      step. I mean, it does "raise the bar," confusing some scripts and
      usually their associated kiddies.

      With that said, yes, almost the only Read-Only I trust is media in a drive
      that doesn't have the electronics required to write.

    > The only way to be absolutely sure you see the real state of the
    > filesystem is to boot off of pristine read-only media. When you've
    > verified all the binaries and checked for any unusual startup actions
    > (/etc/rc?.d, /etc/inittab, initrd device, etc) which could modify things
    > then you can trust your ps commands -- as long as the attacker doesn't
    > come in and modify things again. (You should work without the network
    > plugged in until you're sure things are sane.)

    Yup. And don't trust the system's kernel unless, at the least, you've
    checked its integrity from that alternate boot-read-only media. Because
    execution redirection sucks when you're the one being redirected!

     - Jay

    Relevant Pages

    • Re: MF July 28, 2007
      ... Still, fair enough, you can live in the city without a car ... time, if you're just commenting. ... You can sit back and get your information from the media, ... I think the Duck answers my objection -- he DOES trust certain ...
      (rec.arts.comics.strips)
    • Re: OT - "The Saddam Tapes" ABC News Exclusive
      ... You actually said that you trust a Cuban, ... the most popular cable news network in America. ... media was ever 'trusted' and FWIW we don;t trust them here either. ...
      (rec.audio.pro)
    • Re: Allowing Internet Access to Programs.
      ... > I set settings to disallow these programs access to the internet. ... The 3 programs you are talking about are all "Internet enabled media ... Trust: Do you trust these pieces of software and their creators? ... media players are not the only class of software where this ...
      (microsoft.public.security)
    • Re: OT from Polly - ugly
      ... For me this is a window that I can trust. ... too sure what angle the media is playing and from here there ...
      (rec.crafts.textiles.quilting)