Rootkit

Jordi Prats jprats at cesca.es
Tue Oct 23 08:11:53 UTC 2007


About this discussion, chkrootkit are for live systems, isn't it? 
There's any tool to do rootkit analysis on a "dead" system?

I'm thinking of check for rootkits on snapshots of the file system of a 
virtual machine to determine if the running virtual machine is compromised.

Thanks,
Jordi

bob.smith at kolumbus.fi wrote:
> Dave Burns <tburns at hawaii.edu> kirjoitti:
>> > >> While reading this thread it occurred to me that if disk drives 
>> had a
>> > >> read-only switch, then systems would be uncrackable.
>>
>> Well, that would go a long way to make intrusion more difficult, but
>> not impossible. Intruder just mounts something on top of your read
>> only partition that looks a lot like your partition but with a few
>> well chosen modifications. He then has to hide evidence of his trick,
>> which would not be easy (at least for me!), but that's not to say it
>> could not be done. In fact I have heard of a very similar approach
>> being used (sort of the opposite - an innocuous partition mounted over
>> a partition full of rootkit stuff to keep it hidden), though
>> apparently the intruder had not perfected it yet, since the admin
>> eventually figured out what was going on.
>>
>> > There are special filesystems ("unionfs" ?)
>> > that redirect writes to a read-only file to a copy of the file in a
>> > writable partition (I think).
>>
>> Yeah, but wouldn't that defeat the idea? Are you making it read only
>> so that you know for sure it is good and can use it with confidence or
>> so that you can easily recover your original files after getting
>> (expletive deleted)? This "read-only" partition approach is only worth
>> the trouble if it actually takes some capability away from the
>> intruder. If the filesystem is read/write but your "originals" are
>> read only, that only bothers the intruder if he actually wants to
>> erase them. What does he want to erase? Log files, which do not belong
>> on a read only filesystem in any case.
>>
>> You could use it for monitoring - if it was easy to do a check whether
>> ps and lsof and other critical executables were actually on the
>> read-only part of disk or had been modified. The utility that does the
>> check had better be on the read only partition, but what do you use to
>> check it? If you're totally hacked you can't be sure that the
>> utilities that you execute are actually coming from that disk.  You
>> might be logged in to an emulator! Might as well use tripwire or aide
>> and not bother with the read-onlyness.
>>
>> This has got me thinking.
>> Dave
>>
>> -- 
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
>
> Hi, I am glad you are discussing this, because there are issues to 
> ponder.
> About hacking and cracking. A while back I had this idea, well a few 
> years back, but it was put aside because a university professor 
> disregarded it as useless. and maybe it is.
> The idea was to create sort of(in some way) "encrypted and protected" 
> executables. This to be able to verify that an executable is what it 
> is(located on machine X, and compiled on machine x). Further, the 
> executable would be made so that it could not run on a system on which 
> it was not allowed to run. That was the basis of the idea. Purely 
> theoretical. How this could be achieved in reality is beyond my 
> current knowledgebase, but I am sure that someone else with more 
> knowledge in encryption and protection than me, could maybe analyse 
> this further.
> (Sure, most machines are loaded with translators and script 
> interpreters like perl, and PHP and many others, which allows for 
> making quite much damage through scripting. )
>
> Still, it could be something to think about.
> best r
> Bobo
>
>
>
>


-- 
......................................................................
         __
        / /          Jordi Prats
  C E / S / C A      Dept. de Sistemes
      /_/            Centre de Supercomputació de Catalunya

  Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
  T. 93 205 6464 · F.  93 205 6979 · jprats at cesca.es
...................................................................... 




More information about the fedora-list mailing list