* Marc Mutz <[EMAIL PROTECTED]> writes:
> Steve Youngs wrote:
>> This assumes that the intruder has write access to your filesystem.
>> By this stage it is too late. And whether you use modules or not is
>> not going to make much difference. The intruder could just as easily
>> overwrite your kernel image with an evil one, re-run lilo then cause
>> the system to go down for reboot.
> You do not understand. A typical cracker will not aim at your computer.
> It will be far too uninteresting. A typical cracker will try to use your
> computer as a relay to other - perhaps more interesting - machines in
> the local network, e.g.
The cracker still has to get into the system in the first place. Up
to date software, good firewalling and well thought through security
practices will stop all but the most determined cracker. The cracker
may only want to use your box as a relay to somewhere else, but he/she
is going to look for an easy target. So even moderate security may
put them off.
> So if he installs new programs or a new kernel, it will be detected by
> tripwire the next time you run it.
Wouldn't tripwire detect the Trojan/module thing as well? I don't
know, I haven't setup tripwire here yet.
> A compromized system is not so much of a problem as long as the
> intrusion is readily detecteand counter-measures taken. What is REALLY,
> REALLY a problem is when a Trojan Horse sits in you LAN and sneaks all
> your users passwords, analyzes network traffic, installs Trojans on
> other boxes in your LAN and does any other ugly thing you can think of
> for weeks WITHOUT being detected. Then the intruder can hit your LAN
> quite hard once he feels the time is right.
> Having said that, said module would be absolutely perfect for that. It
> could
> 1.) Hide itself through replacement read/write syscalls
> 2.) Switch your eth card into promiscuous mode and quietly anylyze your
> traffic and mail the results to your address
> 3.) Sneak password by listening to the keyboard and installing itself on
> other - more central - boxes.
> 4.) Faking your backups for a few weeks
> 5.) On Dec, 24th issue rm -rf / simpultaneously on all machines it
> compromized.
Surely it would be better to use something that is guaranteed to be
run like inetd for the Trojan rather than a module that may not even
get loaded.
But at the end of the day, it all boils down to one thing... keep the
bastards out in the first place.
--
---Regards, Steve Youngs--------Email:-<[EMAIL PROTECTED]>---
| If Microsoft is the answer, then all I can say is that |
| you are asking the wrong question. |
------------------------------<Don't be a Newbie--Be a Gnu-bie>---
