[oclug]iptables and modules
Michael P. Soulier
msoulier at storm.ca
Thu Oct 17 19:50:47 EDT 2002
On 16/10/02 Ross Jordan did speaketh:
> I'm just catching the end of this, but the use of modules does
> decrease the overall security of the system.
> The normal procedure after r00ting a box is to promptly
> rootkit the box, replacing system binaries with trojaned
> versions (usually commands like netstat, ps, ls, login,
> passwd etc.). Then (possibly) system logs are cleaned.
> Of course this will be easily detected as the trojaned
> binaries will be caught by tripwire during its next invocation
> (with hashes stored on read only media). With modules
> however, the hacker can install a kernel level rootkit.
> The kernel level rootkit creates a complete and utter
> fantasy world for the sysadmin. Binary execution can
> be redirected, old file checksums match (tripwire doesn't
> notice any problems). One might argue that the hacker
> could just recompile the kernel and not bother with
> modules -- this would minimally require a reboot which
> would be hopefully caught.
Is it really all that difficult to accomplish the same thing if you have
root access to the box, without modifying the kernel? I wouldn't think so, if
you're already giving the hacker the kind of kernel-hacking skills it would
require to do the above.
Michael P. Soulier <msoulier at storm.ca>, GnuPG pub key: 5BC8BE08
"...the word HACK is used as a verb to indicate a massive amount
of nerd-like effort." -Harley Hahn, A Student's Guide to Unix
HTML Email Considered Harmful: http://expita.com/nomime.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20021017/14d2f547/attachment.bin
More information about the OCLUG