This thread raises some interesting point but I've seen a few
misconceptions in it too
first let me clear up the misconceptions.
1) busy box is meant to make the footprint on an appliance or live
"CD" type distro smaller it is not for security. Rootkits that replace
busy box have been seen in the
Hi Steven J. Yellin!
On 2016.09.07 at 19:03:32 -0700, Steven J. Yellin wrote next:
> Are rpm and the check sum tools statically linked? If not, hiding
> copies of them might not help if libraries have been compromised. But
> busybox is statically linked, and it looks like it can be easily
Hi jdow!
On 2016.09.07 at 19:18:32 -0700, jdow wrote next:
> Is the part of the filesystem which handles links in kernel space or user
> space? That would make a great deal of difference as this rootkit tool
In kernel (except for soft links, for them it's partially in user space,
kind of,
et, even Red Hat products like RHEV use that
method on appliances.
Original Message
From: jdow
Sent: Wednesday, September 7, 2016 19:09
To: scientific-linux-users@fnal.gov
Subject: Re: Re: Regarding latest Linux level 3 rootkits
Thanks Vladimir,
I suppose I could pull the necessary files from
, September 7, 2016 19:09
To: scientific-linux-users@fnal.gov
Subject: Re: Re: Regarding latest Linux level 3 rootkits
Thanks Vladimir,
I suppose I could pull the necessary files from busybox as a means of keeping a
more generic Linux system in security trim. This might be a useful tool set to
suggest
Wednesday, September 7, 2016 19:09
To: scientific-linux-users@fnal.gov
Subject: Re: Re: Regarding latest Linux level 3 rootkits
Thanks Vladimir,
I suppose I could pull the necessary files from busybox as a means of keeping a
more generic Linux system in security trim. This might be a useful tool set
Message
From: jdow
Sent: Wednesday, September 7, 2016 19:09
To: scientific-linux-users@fnal.gov
Subject: Re: Re: Regarding latest Linux level 3 rootkits
Thanks Vladimir,
I suppose I could pull the necessary files from busybox as a means of keeping a
more generic Linux system in security trim
Thanks Vladimir,
I suppose I could pull the necessary files from busybox as a means of keeping a
more generic Linux system in security trim. This might be a useful tool set to
suggest upstream. A statically linked less would allow a quick check for the
hidden user. A statically linked
Hi jdow!
On 2016.09.06 at 23:15:04 -0700, jdow wrote next:
> Is there any source for a VI, VIM, or even EMACS that has all libraries
> compiled into it statically? That would make monitoring for the rootkit much
> easier. The same could be said for utilities such as chkrootkit. With
> compiled