RE: Linux (in)security

[Feher Tamas <etomcat () freemail hu>]

Hello,

> I can determine when a Windows box has been owned easily.
> How do you determine if you have a KLM on your Linux box?

On both occasions, you need to shut down the computer and boot it 
from an alternative source (like CD-ROM with MS-DOS), then load 
drivers for the file system (NTFS, EXT2, ReiserFS, etc.) and then run a 
virus scanner.

Or just relocate the suspect hard drive into another known clean 
machine and perform virus scanning with your favourite Windows/Unix 
antivirus software.

It is a fact of life that certain sophisticated Windows and Un*x root kits 
cannot be detected in runtime any more after they were installed. You 
must shut down the OS and investigate using an external standpoint, 
that is an alternative OS boot. (*)

Here is an article about sophisticated Windows Rootkits, they are now 
truly en par with their Un*x conterparts:
http://www.securityfocus.com/news/2879

Sincerely: Tamas Feher.

(*)
PS: It should be noted that some true server machines, like the IBM 
AS/400 have alternative boot path support by factory default. Un*x and 
Windows has a long way to go regarding reliability and security 
measures before they can catch IBM's monsters.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html