Security Incidents mailing list archives
Re: yes, its t0rn again
From: Robert Horn <rjh () world std com>
Date: Thu, 4 Jan 2001 14:02:43 -0500
On 3 Jan, Andreas Hasenack wrote:
Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:Make sure your md5sum binary is also on immutable media. It doesn't do you any good to have known good checksums, if the binary that does the checking can be hacked to tell you what the hacker wants it to tell you.That may also not be enough. A library could have been hacked, md5sum should be statically linked. And, if a kernel module has been inserted, then all bets are off, you would have to reboot from a known kernel to be sure.
One convenience for some systems is to create a mountable and bootable CDROM with: 1. The md5sums 2. A program for checking the md5sums. If you write one of your own in C or some other language that generates executable code you increase the difficulty of a modified kernel recognizing and defeating it. 3. A usable small complete OS for initial forensics. A modified kernel can hide modifications by trapping filesystem I/O, so only rebooting directly from the CDROM with the known good OS and tools is the only way to detect kernel modifications. Using a CDROM is just a convenience. It avoids dis-assembling the computer to take the suspect disks over to another known good system for analysis. It is usually much easier to reboot from the CDROM. If they've penetrated the boot ROM, well, you can reflash it from a known good copy. R Horn
Current thread:
- Re: yes, its t0rn again, (continued)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Joe Stewart (Jan 02)
- Message not available
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Jonas Luster (Jan 02)
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Andrew Edelstein (Jan 03)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- Re: yes, its t0rn again Helmut Springer (Jan 04)
- Re: yes, its t0rn again Aaron (Jan 06)
- Re: yes, its t0rn again Helmut Springer (Jan 06)
- LKM insecurity Greg A. Woods (Jan 06)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- Re: yes, its t0rn again Jeff Bachtel (Jan 04)
- Attack Signature Reprodution Alexandre Soares (Jan 06)
- Re: yes, its t0rn again Jeremy 'Circ' Charles (Jan 06)
- bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Michael H. Warfield (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Jeff (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 09)
- Re: bootable readonly media in your pocket Kevin Martin (Jan 09)