Re: chkrootkit warning
From: Nils Petter Vaskinn (no@spam.for.me.invalid)
Date: 01/31/03
- Next message: Robert: "Strange Diff check message"
- Previous message: R Jones: "Re: Redhat 8.0 built-in firewall"
- In reply to: Bit Twister: "Re: chkrootkit warning"
- Next in thread: Kasper Dupont: "Re: chkrootkit warning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Nils Petter Vaskinn <no@spam.for.me.invalid> Date: Fri, 31 Jan 2003 11:36:37 GMT
On Fri, 31 Jan 2003 11:52:34 +0100, Bit Twister wrote:
> Think about that paragraph.
> You cannot use ANY of your pc's utilities to see if your box is cracked
> and find what addtional files are installed.
>
> What you can do is have a dual boot system. You install a second copy of
> your OS and label it Auditor. You never, EVER mount it from the internet
> OS.
You can not trust a second installation. If a cracker has got root on your
computer what is going to stop him for checking for it, mount the Auditor
partition(s) and then put trojaned binaries in there too?
Think about the first quoted paragraph. You can't trust any of your pc's
utilities - even if they are on a partition that you never mount. Simply
because a cracker could mount it.
> Some have suggested install on a seperate disk which is left unplugged
> until you want to use it.
That would prevent a cracker from tampering with it. I don't know if any
of the "boot from cd distros" come with specific tools for checking an
installation for tampering, but I guess you could use one to check the
binaries against those on your installation cds.
NP
- Next message: Robert: "Strange Diff check message"
- Previous message: R Jones: "Re: Redhat 8.0 built-in firewall"
- In reply to: Bit Twister: "Re: chkrootkit warning"
- Next in thread: Kasper Dupont: "Re: chkrootkit warning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
