Rootkit

Andy Green andy at warmcat.com
Tue Oct 23 07:44:38 UTC 2007


Somebody in the thread at some point said:
> On 10/22/07, Andy Green <andy at warmcat.com> wrote:
>> You can cryptographically sign a hash of the executable and append the
>> signature to the executable itself.  That way they can discover
>> tampering or change because the bad guy can't regenerate the sig as he
>> lacks both keys.
> 
> If the intruder has gained root, he doesn't need the actual private
> key, he can just modify your signature checking program to give false
> negatives for his hacks.

Not so easy if this is enforced by the kernel, and he is spewing log
traces everywhere (and the sysadmin reads his logs regularly!).

>> But it seems to me it's not where the real problems are for servers.
>> The real problems are in PHP or other scripts that accept user input as
>> PHP code or database queries one way or another,
> 
> This is a good point.  Those are the sorts of vulnerabilities that get
> the intruder in the door in the first place. Modifying your binaries
> comes later.

The point here is also that he can modify your config files too, eg, set
an alias for ls to rm -rf / by running the "known safe" and untampered
vi... open a reverse ssh shell in /etc/rc.local...

-Andy




More information about the fedora-list mailing list