On 03/05/2013, at 01.55, unsp...@hushmail.com wrote: > On Fri, 03 May 2013 00:23:13 +0200 "A K Varnell" > <alvarn...@mac.com> wrote: >> Just curious whether any of the existing Apache checks will catch > this one for Linux users? > > Let's start by emphasizing RKH is a passive, post-incident analysis > tool. That means it will only catch "signatures" it knows about, > only after it happened and only when you run it. Security (as in > hardening, auditing and adjusting) is a continuous process. It > should comprise of multiple layers and preferably involve more than > one active / passive tool or method. Running RKH does not equal > "security": it's just a small part of things. > > In this case the perp first requires access to be able to drop the > file, then elevate rights to be able to replace a root-owned binary > and then start the process. While most of CDork is done in shared > memory replacing the binary still means package management (if > capable enough and not subverted), a file system integrity checker, > RKH's properties check or else 'grep -aq open_tty /path/to/httpd && > echo changed' should be able to verify it and alert you about > changes. Additionally audit service watches or Samhain (because it > uses Inotify) and regular log parsing (Logwatch or equivalent) > could be added to the mix. Wrt detection also see the > http://www.welivesecurity.com/wp- > content/uploads/2013/04/dump_cdorked_config.c tool.
But how can you trust RKH when the computer is compromised? Or you think just it is compromised. And what is the worth of booting from a known good source, like a rescue CD, when RKH can no longer use --rootdir? Or take a SAN snapshot of your server, mount it inside a another server and then use RKH when RKH can no longer use --rootdir? Or transfer a complete backup, and then run RKH on the backup server on the transfered files. JonB ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
