Rootkit

Dave Burns tburns at hawaii.edu
Tue Oct 23 07:40:37 UTC 2007


On 10/22/07, Andy Green <andy at warmcat.com> wrote:
> You can cryptographically sign a hash of the executable and append the
> signature to the executable itself.  That way they can discover
> tampering or change because the bad guy can't regenerate the sig as he
> lacks both keys.

If the intruder has gained root, he doesn't need the actual private
key, he can just modify your signature checking program to give false
negatives for his hacks.

> But it seems to me it's not where the real problems are for servers.
> The real problems are in PHP or other scripts that accept user input as
> PHP code or database queries one way or another,

This is a good point.  Those are the sorts of vulnerabilities that get
the intruder in the door in the first place. Modifying your binaries
comes later.

Dave




More information about the fedora-list mailing list