Re: chkrootkit and rkhunter are too old ?
Hugo Vanwoerkom wrote: Good point. Too bad tripwire isn't on Knoppix. One might e-mail Knopper :-) One might also do his own respin :-) Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and rkhunter are too old ?
David Brodbeck wrote: On Jul 13, 2007, at 4:03 PM, Douglas Allan Tutty wrote: On Fri, Jul 13, 2007 at 11:57:44AM -0700, David Brodbeck wrote: * The exception is if tripwire or aid is used after booting from a read-only medium (such as a live CD) and uses checksums that are also retrieved from read-only media. But few people do it this way because it's a lot of work to maintain and requires taking the machine down to do a check. Is there no way for a 'secure' host to check the md5sums on a remote host via scp or something? The checksums could be on that secure host (or on a CD in a drive on the secure host)? Then you have to worry about sshd on the remote host being trojaned so it feeds you what you expect to see, not the actual data. If you're assuming a machine might have been compromised, you can't trust *any* binaries on that machine, full stop. You also can't trust its kernel, so running binaries off a CD without rebooting doesn't help, either -- you may only *think* it's running your binaries, while it's actually running a trojaned version. This isn't to say that tools like tripwire don't have any value, but it's important to recognize their limitations. If you run a local copy of tripwire on a machine, if it fails you know the machine is compromised. But if it succeeds, you still can't be sure the machine is clean. Good point. Too bad tripwire isn't on Knoppix. Hugo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and rkhunter are too old ?
On Jul 13, 2007, at 4:03 PM, Douglas Allan Tutty wrote: On Fri, Jul 13, 2007 at 11:57:44AM -0700, David Brodbeck wrote: * The exception is if tripwire or aid is used after booting from a read-only medium (such as a live CD) and uses checksums that are also retrieved from read-only media. But few people do it this way because it's a lot of work to maintain and requires taking the machine down to do a check. Is there no way for a 'secure' host to check the md5sums on a remote host via scp or something? The checksums could be on that secure host (or on a CD in a drive on the secure host)? Then you have to worry about sshd on the remote host being trojaned so it feeds you what you expect to see, not the actual data. If you're assuming a machine might have been compromised, you can't trust *any* binaries on that machine, full stop. You also can't trust its kernel, so running binaries off a CD without rebooting doesn't help, either -- you may only *think* it's running your binaries, while it's actually running a trojaned version. This isn't to say that tools like tripwire don't have any value, but it's important to recognize their limitations. If you run a local copy of tripwire on a machine, if it fails you know the machine is compromised. But if it succeeds, you still can't be sure the machine is clean. David Brodbeck Information Technology Specialist 3 Computational Linguistics University of Washington
Re: chkrootkit and rkhunter are too old ?
On Fri, Jul 13, 2007 at 11:57:44AM -0700, David Brodbeck wrote: > * The exception is if tripwire or aid is used after booting from a > read-only medium (such as a live CD) and uses checksums that are also > retrieved from read-only media. But few people do it this way > because it's a lot of work to maintain and requires taking the > machine down to do a check. Is there no way for a 'secure' host to check the md5sums on a remote host via scp or something? The checksums could be on that secure host (or on a CD in a drive on the secure host)? Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and rkhunter are too old ?
On Jul 10, 2007, at 1:13 PM, Sven Hoexter wrote: Else, what can I use to test integrity of my system ? apt-get install aide, tripwire or one of the similar tools and learn how to use them. To be honest, I think the value of these tools as they're usually applied* is quite dubious. A hacker with enough access to install a rootkit could also trojan tripwire or aide so that it doesn't report the security breach. As such I think you can get a false sense of security. The same criticism applies to rkhunter and chkrootkit, of course. * The exception is if tripwire or aid is used after booting from a read-only medium (such as a live CD) and uses checksums that are also retrieved from read-only media. But few people do it this way because it's a lot of work to maintain and requires taking the machine down to do a check. David Brodbeck Information Technology Specialist 3 Computational Linguistics University of Washington
Re: chkrootkit and rkhunter are too old ?
On Tue, 2007-07-10 at 22:13 +0200, Sven Hoexter wrote: > On Tue, Jul 10, 2007 at 02:54:04PM +, KLEIN Stéphane wrote: > > Hello, > > > > I look for root kit checker. I found this tools : > > > > * chkrootkit (http://www.chkrootkit.org/) > > * rkhunter (http://rkhunter.sourceforge.net/) > > > > chkrootkit last version date from 30/09/2006 (1.2.9) and rkhunter date > > from 10/10/2006. This tools are near two year old. There aren't new > > rootkit since this date ? if yes, there aren't other tools to check my > > box ? > Well sometimes upstream development stops for some reason. To be honest > those tools hat a lot of false-positives over the years whenever some > kernel based process changed its name and other things like that. > > > Else, what can I use to test integrity of my system ? > apt-get install aide, tripwire or one of the similar tools and learn how > to use them. > > Cheers, > Sven I still use rkhunter and chkrootkit. chkrootkit checks common locations and styles of exploits. rkhunter works equally as well. Tripwire or Samhain are better then either but more involed in set-up. Samhain is another file integrity check. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and rkhunter are too old ?
On Tue, Jul 10, 2007 at 02:54:04PM +, KLEIN Stéphane wrote: > Hello, > > I look for root kit checker. I found this tools : > > * chkrootkit (http://www.chkrootkit.org/) > * rkhunter (http://rkhunter.sourceforge.net/) > > chkrootkit last version date from 30/09/2006 (1.2.9) and rkhunter date > from 10/10/2006. This tools are near two year old. There aren't new > rootkit since this date ? if yes, there aren't other tools to check my > box ? Well sometimes upstream development stops for some reason. To be honest those tools hat a lot of false-positives over the years whenever some kernel based process changed its name and other things like that. > Else, what can I use to test integrity of my system ? apt-get install aide, tripwire or one of the similar tools and learn how to use them. Cheers, Sven -- If you won't forgive me the rest of my life Let me apologize while I'm still alive I know it's time to face all of my past mistakes [Less than Jake - Rest Of My Life]