[lug] newbie question - rc.sysinit

D. Stimits stimits at idcomm.com
Fri Jul 13 14:17:34 MDT 2001


rm at mamma.varadinet.de wrote:
> 
> On Thu, Jul 12, 2001 at 10:52:25AM -0600, Scott A. Herod wrote:
> > I've seen one attack that added start-up code in rc.sysinit ( or
> > maybe it was rc.local ).  I keep "clean-room" versions of ls,
> > ps, rpm, lsof and netstat on floppies.  Whenever I see anything
> > at all unexpected on a machine I use them to look around.
> 
> I guess you are aware of the fact that this won't help against
> a serious cracker. If your kernel module checks for the name
> of executables to be run it doesn't matter where they came from.
> If you fear that a box has been cracked, i'm affraid nothing but
> a reboot from a clean medium is secure (unless the cracker patched
> the bios ;-)

Another unfortunate problem, probably the worst of all really, is that
one does not need to be a "serious" cracker any more to work with kernel
modules. There are scripts even for this. It is the serious cracker that
writes the kernel stealth modules, but anyone could use them.

D. Stimits, stimits at idcomm.com

> 
>  Ralf
> 
> > I've never seen lsof replaced on an root-kit'ed box but have
> > seen the others changed.  'lsof -i' and 'rpm --verify' are
> > very useful.  Anything at all wrong, and I think that it is
> > time to wipe the machine and start over.
> >
> > Scott
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list