Security Incidents mailing list archives

Re: yes, its t0rn again

From: Andrew Edelstein <andrew () PURE-CHAOS COM>
Date: Tue, 2 Jan 2001 23:33:45 -0800

On Mon, Jan 01, 2001 at 05:19:37PM -0000, johnathan curst wrote:

Another substancial Change which i picked up on
was while setting up a honeypot, i did the usual
md5sum binary output's saved onto non-writeable
floppy, but the crontabed script which was checking
for any changes to the md5sum results, was unable
to pick up on any difference even though the hackers
binaries replaced mine. (Any ideas ?) Hence taking
me longer to detect the comrpomise..


Make sure your md5sum binary is also on immutable media. It doesn't do you any
good to have known good checksums, if the binary that does the checking can be
hacked to tell you what the hacker wants it to tell you.

--
Andrew Edelstein                http://andrew.pure-chaos.com

Colonel Slade: There are 2 kinds of people in this world, Charlie. The first
group is the people that face the music; the second group are those who run
for cover. Cover is better.
                                Scent of a Woman

Current thread:

yes, its t0rn again johnathan curst (Jan 01)
- Re: yes, its t0rn again Michael Damm (Jan 01)
  - Re: yes, its t0rn again Joe Stewart (Jan 02)
- Message not available
  - Re: yes, its t0rn again MadHat (Jan 02)
    - Re: yes, its t0rn again Jonas Luster (Jan 02)
- Re: yes, its t0rn again Andrew Edelstein (Jan 03)
  - Re: yes, its t0rn again Andreas Hasenack (Jan 03)
    - Re: yes, its t0rn again Helmut Springer (Jan 04)
    - Re: yes, its t0rn again Aaron (Jan 06)
    - Re: yes, its t0rn again Helmut Springer (Jan 06)
    - LKM insecurity Greg A. Woods (Jan 06)
- <Possible follow-ups>
- Re: yes, its t0rn again Robert Horn (Jan 04)
  - Re: yes, its t0rn again Jeff Bachtel (Jan 04)
    - Attack Signature Reprodution Alexandre Soares (Jan 06)
    - Re: yes, its t0rn again Jeremy 'Circ' Charles (Jan 06)
  - bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 05)

(Thread continues...)