On Fri, Apr 19, 2002 at 02:47:08PM +0200, Jan Johansson wrote: > > Why some people says that eg. tripwire doesn't discover it ? > > Then they dont know what they are saying, i would say that Tripwire / > AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that > your database is current, and is stored in a tamper-proof location... > and ofcource you actually use and update teh IDS database.
I've heard of, but not confirmed the existence of, a root kit that is not detected by Tripwire and other intrusion detection software. It does this by keeping a backup of the original utility (eg. ls, ps, etc.) and then provides either it's own utility or the original depending on how it is opened (eg. if by ld.so, open trojan, else open original). I think that as long as the source of the "open" system call can be determined, a carefully crafted root-kit might be able remain undetected as long as the system is running tainted code. I think the only way to be sure that a utility such as tripwire works is to run it on an untainted system (ie. boot from known good floppy/CD before running the software). Am I just being paranoid, or is this sort of compromise really possible? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]