[lug] newbie question - rc.sysinit
D. Stimits
stimits at idcomm.com
Thu Jul 12 11:19:06 MDT 2001
"Scott A. Herod" wrote:
>
> I've seen one attack that added start-up code in rc.sysinit ( or
> maybe it was rc.local ). I keep "clean-room" versions of ls,
> ps, rpm, lsof and netstat on floppies. Whenever I see anything
> at all unexpected on a machine I use them to look around.
>
> I've never seen lsof replaced on an root-kit'ed box but have
> seen the others changed. 'lsof -i' and 'rpm --verify' are
> very useful. Anything at all wrong, and I think that it is
> time to wipe the machine and start over.
This is where stealth modules come into the picture...it is possible for
an unmodified lsof and rpm to lie and say nothing is wrong, if the right
kernel module is present. Even tripwire is useless if the kernel has a
module to lie. In which case you could run tripwire or other progs from
an independent boot CD to avoid tampered kernels.
D. Stimits, stimits at idcomm.com
>
> Scott
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list