Kieran <[EMAIL PROTECTED]> writes: > On 7 Jan 2002, Steve Mynott wrote: > > > If you have any indication of (2) the only thing to do is to check the > > entire file tree against offline secure checksums (SHA1 prefered to > > MD5) and reinstall from write only media. > > > A point and a question: > If the root kit uses a kernel module to hide evidence of tampering, and > unlinks binaries after they have been run in daemon mode, even checksums > aren't gonna help you much.
Correct you can't trust any binaries on a comprised system. I would define two sorts of backdoor - transient like a loadable module or program running on a high port or permanent like a modified SSHD (typically to capture passwords or supply a partly hidden root login). > <troll>I'd guess that the only cure for that kind of attack is "reboot > early, reboot often</troll> A reboot may stop some transient backdoors (assuming the system hasn't been altered to restart them) but what about if the actual kernel binary image or libraries have been patched on the disk? > And the question: has anyone actually heard of a cracker forging md5 > checksums? The vast majority of UNIX crackers have few if any UNIX skills and are unlikely to do this in reality unless someone writes a nice simple "tewl" for them (which usually happens). But a lot of systems are probably misconfigured with the md5 checksums writable (they should be on non-writable media). In this case the cracker simply would regenerate the checksums for the backdoored binaries, copy them over and use a tool like "fixer" (from the original SunOS 4 rootkit) to hack all the times on the checksums back to what they were. There was also a hackers tool floating around in the mid 1990s called "md5f1xer". I can't remember exactly how this worked but I think it was a hacked library (libc or maybe the math library) intended for use against tripwire which basically still reported OK for hacked files. If you follow the tripwire instructions to the letter it probably doesn't work (its basically a patch to tripwire itself which shouldn't be possible) but (like PGP and most of this security stuff) it probably works against a lot of common misconfigured systems. Another attack would be very carefully looking at the tripware protected database and the files on the target system to see if anything obvious has been missed which could be "leveraged" to evil intent. I would guess that many admins might remove commonly edited conf files from the tripwire database to prevent false alerts. The original "fixer" itself was able to spoof sum(1) checksums by padding out the file and there are apparently theoretical attacks on the MD5 hash itself (SHA1 is now prefered), although I suspect actual MD5 spoofing proper probably still isn't practical. -- Steve Mynott <[EMAIL PROTECTED]>
