Full Disclosure mailing list archives
Re: Linux big bang theory....
From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 21 May 2007 12:59:07 -0400
Vincent Archer wrote:
On Sun, 2007-05-13 at 23:07 -0700, Andrew Farmer wrote:This script really doesn't prove anything, though. All it shows is that a compromised machine can be difficult to impossible to clean properly - which has been known for a *long* time. Ken Thompson discussed a much cleverer one in "Trusting Trust". It's also worth noting that this is in no way specific to UNIX systems. It's simply an unalterable fact that, once an attacker has had full access to the machine, it's possible for them to make changes which will allow them reentry at a later date.I don't have (and I doubt anybody around here can) the proof to make this a theorem, but it is a good postulate: - It is impossible to prove the integrity of a computing system from within the same system. In olden days, this created the fundamental rules for systems like Tripwire: place the signatures on non-alterable storage, run tripwire in single user mode (ahh, the naive assumption that single user mode would be safe enough). Today, the preferred method of checking the integrity of a system involves virtualisation of said system, and verification from the hosting component of the hosted one. Or the hammer approach of erasing the state of the system after use, and rolling it back to a "proven" safe and stable one.
I've added a function to hide the script from showing up on Samhainawk -vfilename=$filename '{print "perl -pi -e '\''s/'$filename'/samhain/g'\''"}' /var/log/samhain_log|sh
What is does when run now is look for the instance of its name (the backdoor's name) and rename it to Samhain. So if the file created is called foo.h and Samhain logs it, it will go and rename foo.h in the logs to Samhain. Tripwire is no difference unless both logs are kept offline. On a side note, I started tinkering with a triple threat mechanism of checksums: (SHA1 + MD5 + RIPE160) http://www.infiltrated.net/scripts/saki.html Just don't know if I want to devote time to doing a full blown program. It works as is, but does nothing more than checksum whatever is in my current path of which later I can do a diff etc. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say; fools, because they have to say something." -- Plato
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux big bang theory...., (continued)
- Re: Linux big bang theory.... Pavel Kankovsky (May 12)
- Re: Linux big bang theory.... Just1n T1mberlake (May 13)
- Re: Linux big bang theory.... Valdis . Kletnieks (May 13)
- Re: Linux big bang theory.... Andrew Farmer (May 13)
- Re: Linux big bang theory.... Andrew Farmer (May 13)
- Re: Linux big bang theory.... Mike Owen (May 15)
- Re: Linux big bang theory.... Valdis . Kletnieks (May 13)
- Re: Linux big bang theory.... Just1n T1mberlake (May 13)
- Re: Linux big bang theory.... Tremaine Lea (May 13)
- Re: Linux big bang theory.... Andrew Farmer (May 13)
- Re: Linux big bang theory.... Vincent Archer (May 21)
- Re: Linux big bang theory.... J. Oquendo (May 21)
- Re: Linux big bang theory.... gary sweet (May 21)
- Re: Linux big bang theory.... Pavel Kankovsky (May 26)
- Re: Linux big bang theory.... Valdis . Kletnieks (May 26)
- Re: Linux big bang theory.... Pavel Kankovsky (May 27)
- Re: Linux big bang theory.... Vincent Archer (May 28)
- Re: Linux big bang theory.... Tremaine Lea (May 13)
- Re: Linux big bang theory.... scott (May 13)
- Re: Linux big bang theory.... Kradorex Xeron (May 14)
- Re: Linux big bang theory.... Troy (May 14)
- Re: Linux big bang theory.... Kradorex Xeron (May 15)