Security Incidents mailing list archives
Re: bootable readonly media in your pocket Re: yes, its t0rn again
From: Ed Padin <ohdamnthathurts () YAHOO COM>
Date: Fri, 5 Jan 2001 16:43:20 -0500
Don't know if it'll fit on a small CD but look for a distribution called Finnix. It's a mostly full distribution of RH 6-sumthin'. It takes a long time to download the compressed iso image. The guy that wrote it configured it to mount all writable directories on ram disks. I was able to create my own disk to suit my needs using his example. You'll need a cd writer to create the CD. Cheque it--> http://www.finnix.org/ ----- Original Message ----- From: "marc" <marc () ZOUNDS NET> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, January 05, 2001 1:22 PM Subject: bootable readonly media in your pocket Re: yes, its t0rn again
On Thu, 4 Jan 2001, Robert Horn wrote:Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:Make sure your md5sum binary is also on immutable media. It doesn't
do you any
good to have known good checksums, if the binary that does the
checking can be
hacked to tell you what the hacker wants it to tell you.Does anyone know of an iso distribution of linux already built to do this? I am familiar w/ trinux, but id like a bootable cd that already has the ability to mount different filesystems, md5 check, etc. At SANS i saw someone was walking around giving out small recovery cdroms like this that were cut down to the size of a credit card. Id really like one of those. marc > >That may also not be enough. A library could have been hacked, md5sum
should be
statically linked. And, if a kernel module has been inserted, then all
bets
are off, you would have to reboot from a known kernel to be sure.One convenience for some systems is to create a mountable and bootable CDROM with: 1. The md5sums 2. A program for checking the md5sums. If you write one of your own in C or some other language that generates executable code you increase the difficulty of a modified kernel recognizing and defeating it. 3. A usable small complete OS for initial forensics. A modified kernel can hide modifications by trapping filesystem I/O, so only rebooting directly from the CDROM with the known good OS and tools is the only way to detect kernel modifications. Using a CDROM is just a convenience. It avoids dis-assembling the computer to take the suspect disks over to another known good system for analysis. It is usually much easier to reboot from the CDROM. If they've penetrated the boot ROM, well, you can reflash it from a known good copy. R Hornmarc import sigfile
Current thread:
- LKM insecurity, (continued)
- LKM insecurity Greg A. Woods (Jan 06)
- Re: yes, its t0rn again Robert Horn (Jan 04)
- Re: yes, its t0rn again Jeff Bachtel (Jan 04)
- Attack Signature Reprodution Alexandre Soares (Jan 06)
- Re: yes, its t0rn again Jeremy 'Circ' Charles (Jan 06)
- bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Michael H. Warfield (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Jeff (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 09)
- Re: bootable readonly media in your pocket Kevin Martin (Jan 09)
- Re: yes, its t0rn again Jeff Bachtel (Jan 04)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Ed Padin (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Ryan Russell (Jan 05)
- Re: yes, its t0rn again - chkrootkit Talisker (Jan 08)