Re: yes, its t0rn again

[Robert Horn <[EMAIL PROTECTED]>]

On  3 Jan, Andreas Hasenack wrote:
> Em Tue, Jan 02, 2001 at 11:33:45PM -0800, Andrew Edelstein escreveu:
>> Make sure your md5sum binary is also on immutable media. It doesn't do you any
>> good to have known good checksums, if the binary that does the checking can be
>> hacked to tell you what the hacker wants it to tell you.
>
> That may also not be enough. A library could have been hacked, md5sum should be
> statically linked. And, if a kernel module has been inserted, then all bets
> are off, you would have to reboot from a known kernel to be sure.

One convenience for some systems is to create a mountable and bootable
CDROM with:
 1. The md5sums
 2. A program for checking the md5sums.  If you write one of your own
    in C or some other language that generates executable code you
    increase the difficulty of a modified kernel recognizing and
    defeating it.
 3. A usable small complete OS for initial forensics.

A modified kernel can hide modifications by trapping filesystem I/O, so
only rebooting directly from the CDROM with the known good OS and tools
is the only way to detect kernel modifications.  Using a CDROM is just a
convenience. It avoids dis-assembling the computer to take the suspect
disks over to another known good system for analysis.  It is usually
much easier to reboot from the CDROM.

If they've penetrated the boot ROM, well, you can reflash it from a
known good copy.

R Horn