Re: Rootkit
- From: Andy Green <andy@xxxxxxxxxxx>
- Date: Tue, 23 Oct 2007 08:44:38 +0100
Somebody in the thread at some point said:
On 10/22/07, Andy Green <andy@xxxxxxxxxxx> wrote:
You can cryptographically sign a hash of the executable and append the
signature to the executable itself. That way they can discover
tampering or change because the bad guy can't regenerate the sig as he
lacks both keys.
If the intruder has gained root, he doesn't need the actual private
key, he can just modify your signature checking program to give false
negatives for his hacks.
Not so easy if this is enforced by the kernel, and he is spewing log
traces everywhere (and the sysadmin reads his logs regularly!).
But it seems to me it's not where the real problems are for servers.
The real problems are in PHP or other scripts that accept user input as
PHP code or database queries one way or another,
This is a good point. Those are the sorts of vulnerabilities that get
the intruder in the door in the first place. Modifying your binaries
comes later.
The point here is also that he can modify your config files too, eg, set
an alias for ls to rm -rf / by running the "known safe" and untampered
vi... open a reverse ssh shell in /etc/rc.local...
-Andy
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- References:
- Re: Rootkit
- From: bob . smith
- Re: Rootkit
- From: Manuel Arostegui Ramirez
- Re: Rootkit
- From: Andy Green
- Re: Rootkit
- From: Dave Burns
- Re: Rootkit
- Prev by Date: Re: Rootkit
- Next by Date: Re: Is there any way to 'force' a yum install/update?
- Previous by thread: Re: Rootkit
- Next by thread: Re: Rootkit
- Index(es):
Relevant Pages
|
