Re: noob question about the CVE-2010-3081 exploit



On Mon, 20 Sep 2010 20:19:33 +0000, tuuttuuttuut@xxxxxxx wrote:

But the thing is... does TripWire see the kernel (and its headers and
stuff) also as 'files' to monitor

As you stated the question, yes. TripWire can tell you when any file/directory
it has been told to monitor changes.

or is it 'just for rootkits'?

In the context of this discussion, there are two types of rootkits.
One is where the rootkit runs only in memory. Tripwire will not see it
because it is not found on the disk. You reboot the system and the
rootkit disappears. The other type would be on the disk and could only
hide from tripwire if tripwire does not scan the directory where it resides.

I mean can tripwire keep me save from the CVE-2010-3081 exploit?

A poor analogy, follows. I think you are viewing tripwire as a burglar
alarm when in reality it is a smoke detector.

IF it smells smoke, it goes off. No smoke, no alarm. Was/is there a fire?
Could be. :(

You have to understand how tripwire works. It builds a database of
file names based on where you told it to scan/watch. If files are
added/deleted/changed then tripwire reports it.

Where would the cracker put malware? Anywhere you told tripwire not to
scan/watch.

What a real rootkit does becomes the real question. If the
person/malware gets into you system, the possibility exists that it
might make enough changes to sneak by you. Example, take shapshot of
logs, insert rootkit, install backdoor(s), tell tripwire to rebuild
database to pick up added/changed files, restore snapshot of logs to
hide malware activity and hope you miss any tripwire complaint about a
log file goes unnoticed by you.

Expand your mind, read 4'th paragraph at
http://en.tldp.org/LDP/LG/issue36/kuethe.html
.