Rootkit

Rick Stevens rstevens at internap.com
Mon Oct 22 22:13:12 UTC 2007


On Mon, 2007-10-22 at 11:48 -1000, Dave Burns wrote:
> On 10/21/07, Manuel Arostegui Ramirez <manuel at todo-linux.com> wrote:
> > On Sunday 21 October 2007 22:38:52 Dave Burns wrote:
> > >
> > > You can trust the results if you reboot your system from a CD,
> >
> > >From my experience, rebooting a hacked system is not a pretty good idea,
> 
> Exactly. So there are three contexts in which you are using the tools:
> 
> 1) Not sure you've been hacked, just suspicious or vigilant.
> 2) Sure you've been hacked, have not yet rebooted, looking for information.
> 3) Sure you've been hacked, rebooted using a CD (e.g. knoppix) or
> other known-good /.
> 
> In situation 1 and 2, you can't totally trust your tools, unless
> they're giving you bad news. In situation 3 your can trust the tools
> as much as you can trust the "known-good /" where they are located. So
> you're never totally sure you're in the clear.
> 
> I guess the truly paranoid might boot from a CD and do an audit
> periodically, I guess that might make me feel pretty confident. Hard
> to automate it (and may open  up new vulnerabilities), no one wants it
> happening during ordinary working hours, and I don't want to be doing
> it by hand outside ordinary hours. Yuck.

I keep a write-protectable USB FLASH disk with necessary utilities on it
such as netstat, ls, ps, rm, chattr, lsattr, find, chkrootkit, etc.  I
plug it in, mount it (typically at /media/DeHack) and do forensics such
as

    # /media/DeHack/bin/netstat -lpn

That way I know I'm using an uncompromised version of the utilities I
need.

With F7 and such, you could boot a live CD of the system and do your
forensics that way, but you won't see the hacked network stuff since the
hacked system won't be booted and the suspect stuff won't be running.
It would be a good way to get uncompromised versions of the programs
onto your forensics media, however.

Best bet: Unplug the suspect machine from your network, plug in your
dehacking tools drive (write protected, of course) and have at it.

> >To evalue my general system security I use babel
> 
> Is that comparable to nagios, or more security oriented?
> 
> gracias,
> Dave
> 
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens at internap.com -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-  Memory is the second thing to go, but I can't remember the first! -
----------------------------------------------------------------------




More information about the fedora-list mailing list