About this discussion, chkrootkit are for live systems, isn't it?
There's any tool to do rootkit analysis on a "dead" system?
I'm thinking of check for rootkits on snapshots of the file system of a
virtual machine to determine if the running virtual machine is compromised.
Thanks,
Jordi
bob.smith@xxxxxxxxxxx wrote:
Dave Burns <tburns@xxxxxxxxxx> kirjoitti:
> >> While reading this thread it occurred to me that if disk drives
had a
> >> read-only switch, then systems would be uncrackable.
Well, that would go a long way to make intrusion more difficult, but
not impossible. Intruder just mounts something on top of your read
only partition that looks a lot like your partition but with a few
well chosen modifications. He then has to hide evidence of his trick,
which would not be easy (at least for me!), but that's not to say it
could not be done. In fact I have heard of a very similar approach
being used (sort of the opposite - an innocuous partition mounted over
a partition full of rootkit stuff to keep it hidden), though
apparently the intruder had not perfected it yet, since the admin
eventually figured out what was going on.
> There are special filesystems ("unionfs" ?)
> that redirect writes to a read-only file to a copy of the file in a
> writable partition (I think).
Yeah, but wouldn't that defeat the idea? Are you making it read only
so that you know for sure it is good and can use it with confidence or
so that you can easily recover your original files after getting
(expletive deleted)? This "read-only" partition approach is only worth
the trouble if it actually takes some capability away from the
intruder. If the filesystem is read/write but your "originals" are
read only, that only bothers the intruder if he actually wants to
erase them. What does he want to erase? Log files, which do not belong
on a read only filesystem in any case.
You could use it for monitoring - if it was easy to do a check whether
ps and lsof and other critical executables were actually on the
read-only part of disk or had been modified. The utility that does the
check had better be on the read only partition, but what do you use to
check it? If you're totally hacked you can't be sure that the
utilities that you execute are actually coming from that disk. You
might be logged in to an emulator! Might as well use tripwire or aide
and not bother with the read-onlyness.
This has got me thinking.
Dave
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Hi, I am glad you are discussing this, because there are issues to
ponder.
About hacking and cracking. A while back I had this idea, well a few
years back, but it was put aside because a university professor
disregarded it as useless. and maybe it is.
The idea was to create sort of(in some way) "encrypted and protected"
executables. This to be able to verify that an executable is what it
is(located on machine X, and compiled on machine x). Further, the
executable would be made so that it could not run on a system on which
it was not allowed to run. That was the basis of the idea. Purely
theoretical. How this could be achieved in reality is beyond my
current knowledgebase, but I am sure that someone else with more
knowledge in encryption and protection than me, could maybe analyse
this further.
(Sure, most machines are loaded with translators and script
interpreters like perl, and PHP and many others, which allows for
making quite much damage through scripting. )
Still, it could be something to think about.
best r
Bobo
--
......................................................................
__
/ / Jordi Prats
C E / S / C A Dept. de Sistemes
/_/ Centre de Supercomputació de Catalunya
Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
T. 93 205 6464 · F. 93 205 6979 · jprats@xxxxxxxx
......................................................................