Re: chkrootkit infected ports 2881 - conundrum

Eduardo M KALINOWSKI on 26/08/08 13:45, wrote:
Adam Hardy escreveu:
After-the-attack identification of a rootkit attack, it seems, can always be compromised if there is no safe read-only hash or encryption of the known-good system binaries.

Unfortunately, I think that if you do not have physical access to the machine, this problem is (at least theoretically) unsolveable.

The checksums must be created when the system is in a known good state, preferably just after system installation, and stored somewhere else. With physical access, you can burn them on a CD. Without that, the machine must be connected to the network for the installation of packages, checksum generation and final transfer of the checksum file to another machine. In theory there could be an attack during that time, and you could end up with a file with false checksums, but the attacker must be able to use that time opportunity, and since you only need a ssh server, I'd say it's quite unlikely that the checksum file is someway invalid.

The biggest problem is in verification time. If you have physical access, you can boot a Live-CD and run the checkum verification with a program that is known to be good. However, without physical access, you'd have to resort to checking the system as it is, that is, in a possibly infected state. And in this case, you'd end up using the checksum program that is in the system, which could be modified to hide the rootkit, and you'd not find the infection.

There are ways to try to circumvent that (such as copying a statically linked checksum program and using that instead of the system one), but if the rootkit is running, it could, at least in theory, hide itself, for example by intercepting system calls that read infected files and returning instead data corresponding to a good file.

The only way to be completely sure that you are getting reliable results is to run the verification when the rootkit could not be running - and this requires you booting in another system via a Live CD, or removing the HD, installing it in another machine and booting that second machine, for example. Both cases require physical access.

I also ignored the relatively larger vulnerability - where I rely on the email message from a cronjob to forward me the results of chkrootkit or rkhunter or any software I might use.

All the hacker needs to do, before rooting the system, is to run my cronjobs and save the output, and then change the cronjobs to email me these 'all clear' reports instead. The reports don't even have dates or times that require updating. I have been known to let my server run for weeks without logging on.

:(

The more I think about it, the more I believe some sharp hacker out there could easily have fooled me for months.

Any suggestions now?

Regards
Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: chkrootkit infected ports 2881 - conundrum
    ... deciding if my system was rooted or not, and so I installed rkhunter. ... Unfortunately, I think that if you do not have physical access to the machine, this problem is unsolveable. ... Without that, the machine must be connected to the network for the installation of packages, checksum generation and final transfer of the checksum file to another machine. ...
    (Debian-User)
  • Re: Kav 6.0 is Great
    ... need to be scanned again unless the checksum of the file (and the file ... they replied that they use some kind of encrypted data base (probably ... i don't know about the brand new version, but previous versions stored the hashes in the alternate data streams and used stealth techniques to hide that data and that is what got their product labeled as a 'rootkit' originally... ... Kaspersky has replaced iCheckerin KAV 5 with iSwift in KAV 6/2006. ...
    (alt.comp.anti-virus)
  • Re: Kav 6.0 is Great
    ... it creates some kind of HASH code or checksum for it, ... need to be scanned again unless the checksum of the file (and the file ... they replied that they use some kind of encrypted data base (probably ... i don't know about the brand new version, but previous versions stored the hashes in the alternate data streams and used stealth techniques to hide that data and that is what got their product labeled as a 'rootkit' originally... ...
    (alt.comp.anti-virus)