Security Incidents mailing list archives
Re: clean binaries
From: //Stany <stany () NOTBSD ORG>
Date: Tue, 7 Nov 2000 16:40:36 -0500
On Mon, 6 Nov 2000, pW wrote:
Hello all... What is the best way to make a disk full of clean binaries so that should a machine be compromised you can use system binaries that you know are clean as opposed to using the ones on the system that may be compromised. Basically I am looking for the best way to get a CD full of binaries such as ifconfig, ps, login, and so on... the systems are already in production so I would prefer getting them from somewhere else because I don't want to assume that these systems are completely clean.
Hrm. One thing I have to point out is that ideally you would want a statically compiled binaries. If that's not possible (statically compiling under Solaris can sometimes be a pain) at all, make sure to have some sort of script that would set LD_PRELOAD to the directory on CD where you have placed the libraries. Besides the library routines that can be compromized, don't forget about the kernel loadable modules. Even if you have a non-patched ps, and non-patched libc, that the cracker have not modified, what prevents him from convincing your kernel to lie to your innocent, not corrupt binaries? ;-) On some systems, like on Solaris SPARC, it might be easier to just force a kernel crash dump to dump the entire memory snapshot to disk, and boot off a custom made cd, or even just an external hard drive with all the tools, and recover the crash dump from the swap partition on the original boot drive.
Is it best to get these from the installation media that was used to install all of the systems?
Depends. Again, if you applied patches to the system after it have been installed, or ever "make world", you are likely to not have on the hard drive the same binaries as were installed. *shrug* So it might just make sense to have the most current at the time you made the CD. If you are hopeing to do a comparison, using md5sum or sum of the checksums of the binaries on the hard drive against the ones on CD, it's not going to help much ether if you patched or rebuilt the system, and did not keep your CD up to date. However if you use Solaris, not everything is lost, as Sun does have a database of fingerprints on-line at <http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl>, thanks to Casper Dik, Alec Muffett & Vasanthan Dasan. So my recomendation would be to use an external bootable hard drive[0] on the systems that do support detach/reattach of the scsi devices (Solaris/SPARC[1], OpenBSD/sparc) and modified environment variables, and taking a snapshot of the memory through a crashdump on the systems that support it (Solaris/OpenBSD), and using post-mortem tools, like lsof, adb, Sun's internal "act", and heck, even "strings" on the crash dump image. The benefit of writable media here would be the convinience and the flexibility it offers. After the basic assessment is done, to just reboot and boot off the external drive, and use all the custom tools to poke the memory image and find the bits you like, while making sure that your filesystem on the hard drive is intact, and was not modified in any way. If you are going for an RCMP (Canuckian police) intervention, and want to get at the one who got into your systems, make sure that when examining your compromized filesystems, you mount them read only, to minimize any potential modifications to the files. For the systems that are dumber, or do not support crashdumps (Linux), well, a CD is your best option, as long as you remember to preload the libraries that are on CD. That, and lots of luck.
any help would be appreciated! thanks
shawn
HTH. HAND. Signed: //Stany [0] This is one area where Macintoshes are much more convinient then anything else - it's darn easy to create a folder, copy the "System" suitcase and the "Finder" into it, and have a bootable system. Especially if you remember to select "Install support for any Macintosh" at the time of the installation, as then you can boot any Mac that that OS revision support off that hard drive. [1] For those of you who are not sure how to re-create a device entries on Solaris short of "boot -r", take a peek into /etc/init.d/{drvconfig|devlinks} -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +--------+ My words are my own. LARTs are provided free of charge. +---------+
Current thread:
- clean binaries pW (Nov 08)
- Re: clean binaries Jay D. Dyson (Nov 08)
- Re: clean binaries Tim Walberg (Nov 08)
- Re: clean binaries Mike Parkin (Nov 08)
- Re: clean binaries //Stany (Nov 08)
- Re: clean binaries Rob Shein (Nov 09)