[lug] i got hacked
D. Stimits
stimits at idcomm.com
Fri Apr 19 11:27:43 MDT 2002
"Sexton, George" wrote:
>
> I don't think its quite that easy. The tripwire database is signed.
I've heard of cases where kernel modules are made to lie about tripwire
checksums by finding out what the checksums are prior to actual
replacement of files. If you really want a guarantee that the tripwire
is correct, you must keep your checksums and all code needed to do
verifications on a separate medium not reachable by the cracker.
D. Stimits, stimits at idcomm.com
>
> -----Original Message-----
> From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
> Behalf Of Bear Giles
> Sent: 19 April, 2002 10:25 AM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] i got hacked
>
> > One final piece of advise when you rebuild, install tripwire. All of the
> > firewall recommendations, combined with wrappers, log sentry (log check)
> > will help prevent it from happening again, but tripwire will let you know
> if
> > it _does_ happen again.
>
> If tripwire isn't installed properly, it can give you a false sense
> of security. In a situation like this you *must* use media which is
> physically read-only - a knowledgeable attacker would simply update
> your tripwire database if it's not on readonly media (not just a
> readonly partition or file).
>
> Bear
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list