[lug] R00tKIT!! Raah!
rm at fabula.de
rm at fabula.de
Thu Jun 16 09:12:09 MDT 2005
On Thu, Jun 16, 2005 at 09:00:51AM -0600, Bear Giles wrote:
> Nate Duehr wrote:
> >Grabbing a statically-linked shell like sash for this type of event
> >after booting from something like a live-CD to keep from using ANYTHING
> >on the compromised system, and not running anything until all it's
> >dependencies are met with known NEW libraries, etc... is usually a good
> >step.
>
> I've pre-recompiled the core tools to use static libraries. You
> don't need many packages for good coverage - under the old debian
> stable I had
>
> bash
> binutils
> chkrootkit
> fileutils
> gawk
> grep
> net-tools
> procps
> sed
> shellutils
> tar
> tcsh
> textutils
>
> and you're right it's a good idea to add dpkg and apt, especially
> since the former is where md5sum hides. 'lsof' is another good
> package to put on this list.
You'll get a lot of these by just compiling BusyBox static. I'll routinely put a
statically linked BusyBox in my initrds -just in case. The whole thing is so
small that it fits nicely on a small (bussiness card) CD.
Cheers Ralf Mattes
> Bear
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG
mailing list