On Wed, Dec 18, 2002 at 12:04:14AM -0600, Dave Ihnat wrote: > On Tue, Dec 17, 2002 at 09:06:39PM -0800, Rick Johnson wrote: > > That's where RPM comes in. As long as you're using it's packages and > > haven't recompiled them yourself, the stored MD5sums within the database > > should be accurate.
> Um...and as long as rpm hasn't been compromised...
The rpm app itself doesn't have to be compromised.
I know of several worms that installed their kits and updates
using rpm. Verifying with rpm will tell you everything is fine. You
need trusted utilities from a trusted source (i.e. read only media
as in one of the bootable business cards) and an off line copy of the
rpm database. Even if you can trust rpm (which you can't on the system
but you can from a BBC) you still can't trust the database on the system.
Tripwire, in this case, is a major benefit since they can't tamper with
that just by running the install.
> > I'd be appaled if a work was able to modify the rpm database too in
> > order to bypass this method of verification.
> Why? I'm very glad nobody with any skill seems to have seriously
> attacked this problem--I know I haven't looked at it--but with full
> sources available to the code that actually builds the RPM database,
> I see no reason why a tool couldn't be built that rebuilds the RPM
> database with values that match the rootkitted system's replaced files.
It doesn't take any skill and it's already been done. One
rootkit (bobkit if I remember correctly) installed its trojan
horse apps by downloading its rpms and installing them with rpm.
Takes no skill at all.
> > Another good tool would be to run chkrootkit on the box. Check
> > http://www.chkrootkit.org/ for more info.
> Absolutely.
Agreed.
> > Bottom line is which will take you more time? Replacing a few binaries
> > verified changed and then patching your system, or reinstalling? The
> > more experienced admin will probably opt for the former.
> >From experience--un-rootkitting takes between 90-120 minutes. Clearly
> the former.
Cleaning out a system is both time consuming and highly educational.
Highly recommended (in the shits and giggles sense of "recommended") if you
have the time and inclination. 90 to 120 minutes is optimistic depending
on the skill of the attacker, if they installed a GOOD root kit (or not),
and if you have off-line trusted databases and utilities (or not). Time
goes up from there...
> Cheers,
> --
> Dave Ihnat
> [EMAIL PROTECTED]
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
msg99278/pgp00000.pgp
Description: PGP signature
