On Fri, 19 Apr 2002, Jan Johansson wrote:
Then they dont know what they are saying, i would say that Tripwire / AIDE / such
will be 100% efficient in detecting kits _PROVIDING_ that your database is current,
and is stored in a tamper-proof location... and ofcource you actually use and
On Fri, 19 Apr 2002, Jan Johansson wrote:
Then they dont know what they are saying, i would say that Tripwire / AIDE /
such will be 100% efficient in detecting kits _PROVIDING_ that your database
is current, and is stored in a tamper-proof location... and ofcource you
actually use and
Jan Johansson [EMAIL PROTECTED] wrote:
Now, run AIDE check periodically (nightly) against that db. And all is well.
Here's a weakness: The attacker can replace AIDE (or any libraries it
links to, if any exist, or even the kernel) with a fake that just says
Everything's OK without really
Hi al.
On Fri, 19 Apr 2002, Sidnei da Silva wrote:
Clearly yes. In my opinion you should disable telnet and use ssh. Once i left
telnet open after installing a server, and the next day i found a rootkit
inside it. Telnet suckz badly.
How to protect against rootkis ? Is it some kind of
How to protect against rootkis ?
Keep your system up to date, do not run unrelaibale software, do not give accounts to
people you do not trust.
Is it some kind of trojan
wich working
with root priviledges ?
Basically, yes. It is typically a kit you drop on the system via a remote root
On Fri, Apr 19, 2002 at 02:47:08PM +0200, Jan Johansson wrote:
Why some people says that eg. tripwire doesn't discover it ?
Then they dont know what they are saying, i would say that Tripwire /
AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that
your database is current,
I've heard of, but not confirmed the existence of, a root kit that is
not detected by Tripwire and other intrusion detection software. It
does this by keeping a backup of the original utility (eg.
ls, ps, etc.)
and then provides either it's own utility or the original depending on
how it
Am I just being paranoid, or is this sort of compromise
really possible?
And also: If the IDS was there first it would trigger on the modified
kernel/module/library (or whatever) since it has to differ between the last check
_before_ the infection and the first check _after_ infection.
On Fri, 19 Apr 2002, Patrick Maheral wrote:
I've heard of, but not confirmed the existence of, a root kit that is
not detected by Tripwire and other intrusion detection software. It
does this by keeping a backup of the original utility (eg. ls, ps, etc.)
and then provides either it's own
Hi al.
On Fri, 19 Apr 2002, Sidnei da Silva wrote:
Clearly yes. In my opinion you should disable telnet and use ssh. Once i left
telnet open after installing a server, and the next day i found a rootkit
inside it. Telnet suckz badly.
How to protect against rootkis ? Is it some kind of
How to protect against rootkis ?
Keep your system up to date, do not run unrelaibale software, do not give
accounts to people you do not trust.
Is it some kind of trojan
wich working
with root priviledges ?
Basically, yes. It is typically a kit you drop on the system via a remote
root
On Fri, Apr 19, 2002 at 02:47:08PM +0200, Jan Johansson wrote:
Why some people says that eg. tripwire doesn't discover it ?
Then they dont know what they are saying, i would say that Tripwire /
AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that
your database is current,
I've heard of, but not confirmed the existence of, a root kit that is
not detected by Tripwire and other intrusion detection software. It
does this by keeping a backup of the original utility (eg.
ls, ps, etc.)
and then provides either it's own utility or the original depending on
how it
Am I just being paranoid, or is this sort of compromise
really possible?
And also: If the IDS was there first it would trigger on the modified
kernel/module/library (or whatever) since it has to differ between the last
check _before_ the infection and the first check _after_ infection.
Now,
On Fri, 19 Apr 2002, Patrick Maheral wrote:
I've heard of, but not confirmed the existence of, a root kit that is
not detected by Tripwire and other intrusion detection software. It
does this by keeping a backup of the original utility (eg. ls, ps, etc.)
and then provides either it's own
15 matches
Mail list logo
