RE: [suse-security] Let's assume a rootkit on our box
You could use a live eval version of the linux distribution to get 'safe' copies of the binaries. Richard
-----Original Message----- From: Michael Appeldorn [SMTP:appeldorn@codixx.de] Sent: 09 November 2001 13:55 To: Michael Bailey Cc: suse-security@suse.com Subject: RE: [suse-security] Let's assume a rootkit on our box
I may be reinventing the wheel here but wouldn't it be possible to put 'rootkit vulnerable' binaries on a floppy and leave it in the drive with the tab set to read only?
Then, it should be possible to use uncompromised binaries like ps if you're suspicious of those on your hard drive.
If you want to get additional safety against rootkits, consider installing an IDS on every fresh installed server. If you just want to be sure, that the ps and netstat command have not been touched by an intruder, you could write a script that compares a checksum of these files each time you login to the server. In order to always have clean binaries ready you could also place them somewhere on the server on an unmounted, encrypted partition. But I admit that it is a bit much of work :-) Regards Reto Inversini ----- Original Message ----- From: "Richard Clyne" <richard_clyne@anadarko.COM> To: "'Michael Appeldorn'" <appeldorn@codixx.de>; "Michael Bailey" <mbailey@audioserve.com> Cc: <suse-security@suse.com> Sent: Thursday, November 08, 2001 3:34 PM Subject: RE: [suse-security] Let's assume a rootkit on our box
You could use a live eval version of the linux distribution to get 'safe' copies of the binaries. Richard
-----Original Message----- From: Michael Appeldorn [SMTP:appeldorn@codixx.de] Sent: 09 November 2001 13:55 To: Michael Bailey Cc: suse-security@suse.com Subject: RE: [suse-security] Let's assume a rootkit on our box
I may be reinventing the wheel here but wouldn't it be possible to put 'rootkit vulnerable' binaries on a floppy and leave it in the drive with the tab set to read only?
Then, it should be possible to use uncompromised binaries like ps if you're suspicious of those on your hard drive.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thu, 8 Nov 2001 16:43:43 +0100 "Reto Inversini" <inversini@datacomm.ch> wrote:
If you want to get additional safety against rootkits, consider installing an IDS on every fresh installed server. If you just want to be sure, that the ps and netstat command have not been touched by an intruder, you could write a script that compares a checksum of these files each time you login to the server. In order to always have clean binaries ready you could also place them somewhere on the server on an unmounted, encrypted partition. But I admit that it is a bit much of work :-)
This is infact basically what the SuSE Security check scripts do.. Among other things, plus suse ships with aide and tripwire.. take your pick, or run all three, however, whatever way you look at it this can ALWAYS be defeated. Even if the entire filesystem was read only, a _good_ hacker could still alter stuff in memory so that to checksums didn't run, or trojan tripwire, in one pen test I simply disabled tripwire, and setup a cron script to mail the last valid report to the admin everyday with a different date. this worked fine for several weeks (until the delivery of the pen test report) There has been SOOOO many threads on this topic on every security mailing list in the world, and basically, if an attacker is good enough, (and you have to assume that they/he is/are) then the ONLY way to be sure of valid files and checksums is to: a) Make a checksum of the entire system before you plug it into a network, and burn these checksums to cd. b) periodically reboot the system from know good media (ie SuSE rescue cd) and compare the checksums against the cdrom copy. Obviously this hurts uptimes :-) but its' the only sure way. Some military installions etc go the the length of running all systems from cdrom (Including NT - This is quite painful btw, I wouldn't recomend it..) Don't be fooled into thinking that you are smarter than the attacker.... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
On 8. Nov 2001 15:34 wrote Richard Clyne:
You could use a live eval version of the linux distribution to get 'safe' copies of the binaries.
No you cannot. If someone has root access to a box he can change everything in your system including the open() function in your kernel. (This can be easily done with a kernel module.) You cannot trust a box which has been broken in. Backup - reinstall - patch - connect to the net. And to answer the original question: a clever attacker would be able to change the entries in the /proc-fs Peter
PW> On 8. Nov 2001 15:34 wrote Richard Clyne:
You could use a live eval version of the linux distribution to get 'safe' copies of the binaries.
PW> No you cannot. If someone has root access to a box he can change everything PW> in your system including the open() function in your kernel. (This can be PW> easily done with a kernel module.) You can, if you use a tool that protects your system against "bad" (or all new-loaded) kernel-modules.
participants (5)
-
da_bug -
Peter Nixon -
Peter Wiersig -
Reto Inversini -
Richard Clyne