Re: Rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rick Stevens wrote:

On Mon, 2007-10-22 at 11:48 -1000, Dave Burns wrote:

On 10/21/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote:

On Sunday 21 October 2007 22:38:52 Dave Burns wrote:

You can trust the results if you reboot your system from a CD,

>From my experience, rebooting a hacked system is not a pretty good idea,

Exactly. So there are three contexts in which you are using the tools:

1) Not sure you've been hacked, just suspicious or vigilant.
2) Sure you've been hacked, have not yet rebooted, looking for information.
3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or
other known-good /.

In situation 1 and 2, you can't totally trust your tools, unless
they're giving you bad news. In situation 3 your can trust the tools
as much as you can trust the "known-good /" where they are located. So
you're never totally sure you're in the clear.

I guess the truly paranoid might boot from a CD and do an audit
periodically, I guess that might make me feel pretty confident. Hard
to automate it (and may open  up new vulnerabilities), no one wants it
happening during ordinary working hours, and I don't want to be doing
it by hand outside ordinary hours. Yuck.


I keep a write-protectable USB FLASH disk with necessary utilities on it
such as netstat, ls, ps, rm, chattr, lsattr, find, chkrootkit, etc.  I
plug it in, mount it (typically at /media/DeHack) and do forensics such
as

    # /media/DeHack/bin/netstat -lpn

That way I know I'm using an uncompromised version of the utilities I
need.

With F7 and such, you could boot a live CD of the system and do your
forensics that way, but you won't see the hacked network stuff since the
hacked system won't be booted and the suspect stuff won't be running.
It would be a good way to get uncompromised versions of the programs
onto your forensics media, however.

Best bet: Unplug the suspect machine from your network, plug in your
dehacking tools drive (write protected, of course) and have at it.


To evalue my general system security I use babel

Is that comparable to nagios, or more security oriented?

gracias,
Dave


----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-  Memory is the second thing to go, but I can't remember the first! -
----------------------------------------------------------------------
While reading this thread it occurred to me that if disk drives had a read-only switch, then systems would be uncrackable. Automated updates would be impossible, but I could live with a complicated update process if it would guarantee that my programs couldn't be compromised.
Can someone tell me why this isn't a good idea? There must be a fatal flaw that I don't see, or else someone would be selling drives like this. 

Regards,

John
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux