Re: Rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rick Stevens wrote:
On Mon, 2007-10-22 at 11:48 -1000, Dave Burns wrote:
On 10/21/07, Manuel Arostegui Ramirez <manuel@xxxxxxxxxxxxxx> wrote:
On Sunday 21 October 2007 22:38:52 Dave Burns wrote:
You can trust the results if you reboot your system from a CD,
>From my experience, rebooting a hacked system is not a pretty good idea,
Exactly. So there are three contexts in which you are using the tools:

1) Not sure you've been hacked, just suspicious or vigilant.
2) Sure you've been hacked, have not yet rebooted, looking for information.
3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or
other known-good /.

In situation 1 and 2, you can't totally trust your tools, unless
they're giving you bad news. In situation 3 your can trust the tools
as much as you can trust the "known-good /" where they are located. So
you're never totally sure you're in the clear.

I guess the truly paranoid might boot from a CD and do an audit
periodically, I guess that might make me feel pretty confident. Hard
to automate it (and may open  up new vulnerabilities), no one wants it
happening during ordinary working hours, and I don't want to be doing
it by hand outside ordinary hours. Yuck.

I keep a write-protectable USB FLASH disk with necessary utilities on it
such as netstat, ls, ps, rm, chattr, lsattr, find, chkrootkit, etc.  I
plug it in, mount it (typically at /media/DeHack) and do forensics such
as

    # /media/DeHack/bin/netstat -lpn

That way I know I'm using an uncompromised version of the utilities I
need.

With F7 and such, you could boot a live CD of the system and do your
forensics that way, but you won't see the hacked network stuff since the
hacked system won't be booted and the suspect stuff won't be running.
It would be a good way to get uncompromised versions of the programs
onto your forensics media, however.

Best bet: Unplug the suspect machine from your network, plug in your
dehacking tools drive (write protected, of course) and have at it.

To evalue my general system security I use babel
Is that comparable to nagios, or more security oriented?

gracias,
Dave

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-  Memory is the second thing to go, but I can't remember the first! -
----------------------------------------------------------------------


While reading this thread it occurred to me that if disk drives had a read-only switch, then systems would be uncrackable. Automated updates would be impossible, but I could live with a complicated update process if it would guarantee that my programs couldn't be compromised.

Can someone tell me why this isn't a good idea? There must be a fatal flaw that I don't see, or else someone would be selling drives like this.

Regards,

John

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux