hi chris
yes... i concur... with most all of your comments too ...cool...
>
> This particular attack is a worm.
>
> The "hosts" of the worm probably dont even know their affected.
and now we're at stage1 of a security breach...
who can predict what gonna happen next... just depends
> > running tripwire and other ids are good and bad...
> > - bad because its too late...they got in
> > - bad to use tripwire..because youdont have the original
> > version ... tripwire tells you the binary been tampered
>
> For completeness sake, lets say Tripwire tells the files/directories
> modified.
>
> Most OSs these days have some form of package management system
> allowing you to restore files which you identified as changed.
relying on rpm is ridiculously painful for almost zero gain when
the same intent and security levels can be maintained in a
few seconds instead of hours of painstaking rpm messages
problem is you dont want tripwire to tell you sendmail.cf was
changed because you added some additional relay tests or other
virtual domains "you" added ... and yet you do want tripwire
to tell you inetd.conf was changed...
- poor thing, cant tell if its owner changed it or
an outsider...
to constantly remake a tripwire db is risky because if you missed
one of the hackers changes ... and you remake the tripwire db...
than you've just hidden it as being ok...
i tend to initialize the tripwire db once when it was first installed
and patched offline...
i also tend to run say hourly or every few minutes to run md5 checks on
the files/directory tree in addition to tripwire
- i get an email ONLY if there's a problem that need immediate
attention..
> You could say, an LKM (or other kernel/system-file mods) can obscure the
>
> results you see, but that can be counteracted if you boot from a known
> clean,
> forensically-geared CD, etc etc...
yes... the foresically gear or just standalone virgin cdrom is good...
have fun
alvin
-- concurring with all comments anyway...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
