Rootkit
Andy Green
andy at warmcat.com
Tue Oct 23 07:44:38 UTC 2007
Somebody in the thread at some point said:
> On 10/22/07, Andy Green <andy at warmcat.com> wrote:
>> You can cryptographically sign a hash of the executable and append the
>> signature to the executable itself. That way they can discover
>> tampering or change because the bad guy can't regenerate the sig as he
>> lacks both keys.
>
> If the intruder has gained root, he doesn't need the actual private
> key, he can just modify your signature checking program to give false
> negatives for his hacks.
Not so easy if this is enforced by the kernel, and he is spewing log
traces everywhere (and the sysadmin reads his logs regularly!).
>> But it seems to me it's not where the real problems are for servers.
>> The real problems are in PHP or other scripts that accept user input as
>> PHP code or database queries one way or another,
>
> This is a good point. Those are the sorts of vulnerabilities that get
> the intruder in the door in the first place. Modifying your binaries
> comes later.
The point here is also that he can modify your config files too, eg, set
an alias for ls to rm -rf / by running the "known safe" and untampered
vi... open a reverse ssh shell in /etc/rc.local...
-Andy
More information about the fedora-list
mailing list