[lug] R00tKIT!! Raah!
Sebastian Sobolewski
spsobole at thirdmartini.com
Tue Jun 14 21:08:50 MDT 2005
As a general rule I run my / filesystem mounted Read-Only. Only my data
partitions which are mounted noexec are writable.
IE:
/dev/md0 on / type ext3 (ro)
/dev/hda1 on /boot type ext2 (ro)
/dev/md1 on /data type ext3 (rw,noexec)
/tmp & /var are symlinked to /data/tmp and /data/var respectively
This reduces the risk of a rootkit being able to install itself. For
extra paranoia my /dev/md0 device is a READ-ONLY mirror so a simple
remount,rw won't work.
-Sebastian
Zan Lynx wrote:
>You can be safe from that if you boot from a live-CD or rescue CD.
>You'd want to use a clean source for your checksum data too.
>
>On Tue, 2005-06-14 at 20:42 -0600, Bear Giles wrote:
>
>
>>David Anselmi wrote:
>>
>>
>>>I wouldn't trust cleaning the system unless I had a way to verify all
>>>the files on it. Most of those came from packages, so if you can
>>>compare checksums between your files and those from the official
>>>packages (using only programs you've already verified) you might be good.
>>>
>>>
>>I wouldn't trust checksums since an undetected rootkit may still
>>change the results. But I don't think it's hard to reinstall
>>packages. E.g., in Debian it's
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Web Page: http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>>
More information about the LUG
mailing list