Security Incidents mailing list archives
Re: Break-in attempt from 203.197.38.247
From: Jason Storm <sec () ORGONE NEGATION NET>
Date: Thu, 24 Aug 2000 21:23:15 -0700
if youre running a kernel that allows loadable modules, you cant trust anything. even if youre not, if you havent tripwired your kernel, you cant be sure the attacker didnt replace it with one that supports modules. modular rootkits are nothing exotic. anyone who has examined many compromised linux boxes and not bumped into them probably is not looking correctly. -jason storm negation industries On Thu, 24 Aug 2000, Valdis Kletnieks wrote:
On Thu, 24 Aug 2000 11:23:48 -0000, Nick Phillips <nwp () CHECKAPRICE COM> said:On Wed, Aug 23, 2000 at 01:09:08PM -0400, Valdis Kletnieks wrote:You may wish to re-try the 'ls' with a known good 'ls' binary retrieved off the installation CD or someplace.Not sufficient. Everything that ls depends on needs to be known good too... this includes libs, kernel... ;)Well.. Yeah. but I've not seen TOO many rootkits that trojan libc.a or the kernel (although I've seen a few Linux-based loadable modules)... Do you trust your install CD? This is actually a serious question. @ARTICLE{Trusting.Trust, author={Ken Thompson}, title={Reflections on Trusting Trust}, journal={Communications of the ACM}, volume=27, number=8, month=Aug, year=1984, pages="761-763" } -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Current thread:
- Break-in attempt from 203.197.38.247 Cronje Schalk (Aug 22)
- Re: Break-in attempt from 203.197.38.247 M ixter (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Jason Storm (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- <Possible follow-ups>
- Re: Break-in attempt from 203.197.38.247 Fernando Cardoso (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Richard Fein (Aug 25)
- Re: Break-in attempt from 203.197.38.247 Ian Eure (Aug 25)