On Tue, 14 Dec 1999, Alan Mead wrote:

> At 04:44 PM 12/13/99 -0800, Aaron Turner wrote:
> 
> >Also realize that there are kernel modules out there that will "hide"
> >changes so using RPM or things like Tripwire will *not* show modified
> >files.  If you have reason to believe that someone would bother doing an
> >advanced crack like this, really your only choice is to re-install.
> 
> I agree RPM has it's limits as a substitute for Tripwire or the like.  Two
> questions:  First, by reinstallation do you mean formatting the drive and

Use fdisk to delete the partitions, then go through the normal
install process.

> reinstalling or just install over the old binaries?  I am considering an
> upgrade to an old 5.2 system and I want to be sure it's clean after the
> install.  I'm wondering if I need to reformat or if an upgrade will secure
> all the binaries on the system.  

Unless you know for a fact that that hacker didn't delete an RPM and then
install a hacked binary from source, that wouldn't be safe.   Also, by
doing an upgrade, the hidden files the hacker left behind will most likely
still be on the system.

> Second, these hacked kernel modules are real, not rumor? I've considered
> the problem they pose to using Tripwire and I'm wondering if a simpler
> solution would be to boot from a known-secure floppy?  Assuming you could
> afford to reboot, that would ensure that the OS sees all the files, right?

Yes, the kernel modules are real.  I personally have yet to see one, but
I've seen enough reports from sources I consider reliable to believe
without a doubt that they exist.  I've also seen a number of hackers
advocate the use of kernel modules to do certain hacks & hide their
presense.  If someone has publicly advocated their use, then it's only a
matter of time before they're real.

As you suggest, if you use a write protected boot floopy to boot from (and
that means the kernel image you boot from must be on the floppy!) that
would be a safe benchmark to run tripwire from.  The problem with this is
that you have to boot off the floppy to update your Tripwire database AND
to verify your files.  Few systems can go down that often.

--
Aaron Turner, Core Developer       http://vodka.linuxkb.org/~aturner/
Linux Knowledge Base Organization  http://linuxkb.org/
Because world domination requires quality open documentation.
aka: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.

Reply via email to