[lug] newbie question - rc.sysinit
D. Stimits
stimits at idcomm.com
Fri Jul 13 14:19:59 MDT 2001
rm at mamma.varadinet.de wrote:
>
> On Thu, Jul 12, 2001 at 10:52:25AM -0600, Scott A. Herod wrote:
> > I've seen one attack that added start-up code in rc.sysinit ( or
> > maybe it was rc.local ). I keep "clean-room" versions of ls,
> > ps, rpm, lsof and netstat on floppies. Whenever I see anything
> > at all unexpected on a machine I use them to look around.
>
> I guess you are aware of the fact that this won't help against
> a serious cracker. If your kernel module checks for the name
> of executables to be run it doesn't matter where they came from.
> If you fear that a box has been cracked, i'm affraid nothing but
> a reboot from a clean medium is secure (unless the cracker patched
> the bios ;-)
I forgot one other thing...if you have a rescue disk (e.g., Tom's root
boot), and you run your examination from the other kernel, then the
clean room versions will work. But that also requires a lot of
examination if you want to go beyond the typical alterations. This is
where it might be nice to have tripwire on the rescue, and the expected
results in a safe place.
D. Stimits, stimits at idcomm.com
>
> Ralf
>
> > I've never seen lsof replaced on an root-kit'ed box but have
> > seen the others changed. 'lsof -i' and 'rpm --verify' are
> > very useful. Anything at all wrong, and I think that it is
> > time to wipe the machine and start over.
> >
> > Scott
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list