> I've heard of, but not confirmed the existence of, a root kit that is > not detected by Tripwire and other intrusion detection software. It > does this by keeping a backup of the original utility (eg. > ls, ps, etc.) > and then provides either it's own utility or the original depending on > how it is opened (eg. if by ld.so, open trojan, else open original). > Am I just being paranoid, or is this sort of compromise > really possible?
There is a reason that tripwire and aide are normally compiled as statical binaries. And frankly, just copying the file will trigger teh IDS, since it can use inode/sector location as one of the fingerprints. Personally i (pretty much) do the following: Install system from a "known safe source", as well as applicable patches. Then we install AIDE. And set up a decent log set. Then we copy the AIDE binary aswell as the initial database to a media such as CD-ROM, which we then keep mounted in a CD unit. Now, run AIDE check periodically (nightly) against that db. And all is well. When i patch the system, just make sure the AIDE check is "clean" before the upgrade. Do the patches, do a new AIDE database and do an incremental burn of the CD. Then keep that routine up. That, and keeping the kernel monolithical to prevent the "module type" exploits, and you have a pretty good setup. Add to this logging of key elements to an old matrix printer.. Good luck in manipulating those logs remotely. Frankly, i would actually like to see how to taint such a system... Now, a fun thought would be to use a mirrored disk on either shared SCSI or fiber scsi for the system. Then break the mirror, mount one disk to a "secure" system and run the analyze from there, thereby bypassing ALL elements of the original object. (Okay, overkill). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
