[lug] newbie question - rc.sysinit
Scott A. Herod
herod at interact-tv.com
Thu Jul 12 15:41:59 MDT 2001
"D. Stimits" wrote:
>
> "Scott A. Herod" wrote:
> >
> > I've seen one attack that added start-up code in rc.sysinit ( or
> > maybe it was rc.local ). I keep "clean-room" versions of ls,
> > ps, rpm, lsof and netstat on floppies. Whenever I see anything
> > at all unexpected on a machine I use them to look around.
>
> This is where stealth modules come into the picture...it is possible for
> an unmodified lsof and rpm to lie and say nothing is wrong, if the right
> kernel module is present. Even tripwire is useless if the kernel has a
> module to lie. In which case you could run tripwire or other progs from
> an independent boot CD to avoid tampered kernels.
>
( As you can see I didn't follow that discussion well. )
Stealth modules would even corrupt the /proc file system, correct?
There goes my comparison of /proc/#/cmdline against the output of ps.
Could you keep a clean copy of all of the md5 sums for the kernel
and relevant modules? The executable md5sum as well, obviously.
More information about the LUG
mailing list