Somebody in the thread at some point said: > On 10/22/07, Andy Green <andy@xxxxxxxxxxx> wrote: >> You can cryptographically sign a hash of the executable and append the >> signature to the executable itself. That way they can discover >> tampering or change because the bad guy can't regenerate the sig as he >> lacks both keys. > > If the intruder has gained root, he doesn't need the actual private > key, he can just modify your signature checking program to give false > negatives for his hacks. Not so easy if this is enforced by the kernel, and he is spewing log traces everywhere (and the sysadmin reads his logs regularly!). >> But it seems to me it's not where the real problems are for servers. >> The real problems are in PHP or other scripts that accept user input as >> PHP code or database queries one way or another, > > This is a good point. Those are the sorts of vulnerabilities that get > the intruder in the door in the first place. Modifying your binaries > comes later. The point here is also that he can modify your config files too, eg, set an alias for ls to rm -rf / by running the "known safe" and untampered vi... open a reverse ssh shell in /etc/rc.local... -Andy
