Re: Break-in attempt from 203.197.38.247

[Jason Storm <sec () ORGONE NEGATION NET>]

if youre running a kernel that allows loadable modules, you cant trust
anything.

even if youre not, if you havent tripwired your kernel, you cant be sure
the attacker didnt replace it with one that supports modules.

modular rootkits are nothing exotic.  anyone who has examined many
compromised linux boxes and not bumped into them probably is not looking
correctly.

-jason storm
 negation industries

 On Thu, 24 Aug 2000, Valdis Kletnieks wrote:

> On Thu, 24 Aug 2000 11:23:48 -0000, Nick Phillips <nwp () CHECKAPRICE COM>  said:
> > On Wed, Aug 23, 2000 at 01:09:08PM -0400, Valdis Kletnieks wrote:
> > > You may wish to re-try the 'ls' with a known good 'ls' binary retrieved
> > > off the installation CD or someplace.
> > Not sufficient. Everything that ls depends on needs to be known good too...
> > this includes libs, kernel... ;)
>
> Well.. Yeah.  but I've not seen TOO many rootkits that trojan libc.a or
> the kernel (although I've seen a few Linux-based loadable modules)...
>
> Do you trust your install CD?  This is actually a serious question.
>
> @ARTICLE{Trusting.Trust,
>         author={Ken Thompson},
>         title={Reflections on Trusting Trust},
>         journal={Communications of the ACM},
>         volume=27,
>         number=8,
>         month=Aug,
>         year=1984,
>         pages="761-763"
> }
>
> --
>                               Valdis Kletnieks
>                               Operating Systems Analyst
>                               Virginia Tech