* Michael H Warfield <[EMAIL PROTECTED]> writes:
> On Tue, Oct 12, 1999 at 10:24:36PM +1000, Steve Youngs wrote:
> [...]
>> Wouldn't tripwire detect the Trojan/module thing as well? I don't
>> know, I haven't setup tripwire here yet.
> Possibly not. Tripwire will detect a modified file and may or may
> not detect additions to critical directories. If you stored the trojan
> module in a non-critical directory, then insmoded it into the kernel, you
> really haven't modified anything that tripwire would be watching. If you
> really needed to, you could copy it to a critical directory, insmod it,
> remove it from the directory, then reset the directory modification times
> back to what they were.
> A kernel module could be inserted into a running kernel without
> modifying any existing files or critical directories or rebooting the
> system. That's far easier and far more difficult to detect.
So not only does the cracker have to get into my box in the first
place, he/she also has to get root access. Hmm, tough ask.
> I've already seen the source code to the new generation stealth
> modules that are running around out there. They get loaded and then
> tinker with the kernel structures so they can't be unloaded or detected
> after insmoding. What they do in the system after loading is up to you.
> They would probably get loaded by some trojan or backdoor out of inetd
> or one of the rc scripts and then act from the kernel layer to hid the
> original trojan or backdoor in a way that is hard to detect from user space.
Nasty. I think the next paragraph has just been made doubly
important.
>> But at the end of the day, it all boils down to one thing... keep the
>> bastards out in the first place.
> No joke!
--
---Regards, Steve Youngs--------Email:-<[EMAIL PROTECTED]>---
| If Microsoft is the answer, then all I can say is that |
| you are asking the wrong question. |
------------------------------<Don't be a Newbie--Be a Gnu-bie>---