Rootkit

John Wendel john.wendel at metnet.navy.mil
Mon Oct 22 23:16:03 UTC 2007 

Rick Stevens wrote:
> On Mon, 2007-10-22 at 11:48 -1000, Dave Burns wrote:
>> On 10/21/07, Manuel Arostegui Ramirez <manuel at todo-linux.com> wrote:
>>> On Sunday 21 October 2007 22:38:52 Dave Burns wrote:
>>>> You can trust the results if you reboot your system from a CD,
>>> >From my experience, rebooting a hacked system is not a pretty good idea,
>> Exactly. So there are three contexts in which you are using the tools:
>>
>> 1) Not sure you've been hacked, just suspicious or vigilant.
>> 2) Sure you've been hacked, have not yet rebooted, looking for information.
>> 3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or
>> other known-good /.
>>
>> In situation 1 and 2, you can't totally trust your tools, unless
>> they're giving you bad news. In situation 3 your can trust the tools
>> as much as you can trust the "known-good /" where they are located. So
>> you're never totally sure you're in the clear.
>>
>> I guess the truly paranoid might boot from a CD and do an audit
>> periodically, I guess that might make me feel pretty confident. Hard
>> to automate it (and may open  up new vulnerabilities), no one wants it
>> happening during ordinary working hours, and I don't want to be doing
>> it by hand outside ordinary hours. Yuck.
> 
> I keep a write-protectable USB FLASH disk with necessary utilities on it
> such as netstat, ls, ps, rm, chattr, lsattr, find, chkrootkit, etc.  I
> plug it in, mount it (typically at /media/DeHack) and do forensics such
> as
> 
>     # /media/DeHack/bin/netstat -lpn
> 
> That way I know I'm using an uncompromised version of the utilities I
> need.
> 
> With F7 and such, you could boot a live CD of the system and do your
> forensics that way, but you won't see the hacked network stuff since the
> hacked system won't be booted and the suspect stuff won't be running.
> It would be a good way to get uncompromised versions of the programs
> onto your forensics media, however.
> 
> Best bet: Unplug the suspect machine from your network, plug in your
> dehacking tools drive (write protected, of course) and have at it.
> 
>>> To evalue my general system security I use babel
>> Is that comparable to nagios, or more security oriented?
>>
>> gracias,
>> Dave
>>
> ----------------------------------------------------------------------
> - Rick Stevens, Principal Engineer             rstevens at internap.com -
> - CDN Systems, Internap, Inc.                http://www.internap.com -
> -                                                                    -
> -  Memory is the second thing to go, but I can't remember the first! -
> ----------------------------------------------------------------------
> 

While reading this thread it occurred to me that if disk drives had a 
read-only switch, then systems would be uncrackable. Automated updates 
would be impossible, but I could live with a complicated update 
process if it would guarantee that my programs couldn't be compromised.

Can someone tell me why this isn't a good idea?  There must be a fatal 
flaw that I don't see, or else someone would be selling drives like this.

Regards,

John

More information about the users mailing list