Rootkit

Dave Burns tburns at hawaii.edu
Mon Oct 22 21:48:46 UTC 2007


On 10/21/07, Manuel Arostegui Ramirez <manuel at todo-linux.com> wrote:
> On Sunday 21 October 2007 22:38:52 Dave Burns wrote:
> >
> > You can trust the results if you reboot your system from a CD,
>
> >From my experience, rebooting a hacked system is not a pretty good idea,

Exactly. So there are three contexts in which you are using the tools:

1) Not sure you've been hacked, just suspicious or vigilant.
2) Sure you've been hacked, have not yet rebooted, looking for information.
3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or
other known-good /.

In situation 1 and 2, you can't totally trust your tools, unless
they're giving you bad news. In situation 3 your can trust the tools
as much as you can trust the "known-good /" where they are located. So
you're never totally sure you're in the clear.

I guess the truly paranoid might boot from a CD and do an audit
periodically, I guess that might make me feel pretty confident. Hard
to automate it (and may open  up new vulnerabilities), no one wants it
happening during ordinary working hours, and I don't want to be doing
it by hand outside ordinary hours. Yuck.

>To evalue my general system security I use babel

Is that comparable to nagios, or more security oriented?

gracias,
Dave




More information about the users mailing list