On Fri, 19 Apr 2002, Patrick Maheral wrote: > I've heard of, but not confirmed the existence of, a root kit that is > not detected by Tripwire and other intrusion detection software. It > does this by keeping a backup of the original utility (eg. ls, ps, etc.) > and then provides either it's own utility or the original depending on > how it is opened (eg. if by ld.so, open trojan, else open original).
any root kit based upon kernel modules can do that. Search for "knark" with Google... > I think that as long as the source of the "open" system call can be > determined, a carefully crafted root-kit might be able remain undetected > as long as the system is running tainted code. I think the only way to > be sure that a utility such as tripwire works is to run it on an > untainted system (ie. boot from known good floppy/CD before running the > software). Yes, you are correct. To be safe, you need to keep the tripwire database on a separate support which cannot be tampered with, and to check the integrity of the system you should boot the system from secure media (e.g. a boot CDROM you previously prepared), possibly in single user mode and unconnected from the network. > Am I just being paranoid, or is this sort of compromise really possible? oh yes, it is possible. Bye Giacomo -- _________________________________________________________________ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _________________________________________________________________ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _________________________________________________________________ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _________________________________________________________________ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]