[lug] Suggested Colo's in Boulder, managed hosting?

[Bear Giles]

Zan Lynx wrote:
> But the other had a very
> nifty kernel module that intercepted directory reads, file reads, etc. 
> It even had support to fool Tripwire (it would exec the trojan, but ope
> and read the original executable).

A while back some group was trying to scan the entire IP space in 
the world and reported one box had a very sophisticated kernel 
module loaded after a telnet(?) session that lasted all of 7 
seconds.  Somebody tweaked the wrong TLA....

A little bit closer to things we need to worry about, I've heard 
of some rootkits that don't modify binaries at all, they do their 
dirty deeds via LD_PRELOAD.

> I installed a fresh kernel RPM, init scripts and fileutils, rebooted and
> searched the drive for everything with recent inode change times.  Then
> we reinstalled from scratch just to make sure.

One of my never-ending projects has been a configuration 
management tool that is intended to account for every file under 
the system directories - two key reports are expected files that 
are missing, and files that nobody takes responsibility for.

Creating that database has been... interesting.  Debian maintains 
something close, but not quite close enough.  The latest 
generation of the tool actually rips apart the Debian binary 
package and reads the data stream to generate a full manifest 
including modification time, sizes, hashes, etc.