[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Security Practices (WAS: SFTP on Raq4 as Root?)
- Subject: Re: [cobalt-security] Security Practices (WAS: SFTP on Raq4 as Root?)
- From: Ted Behling <TBehling@xxxxxxxxxxxxx>
- Date: Sun, 05 Aug 2001 09:30:31 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Someone else pointed out that an attacker or his rootkit could replace your
md5sum binary with one that reported the expected values for trojaned
files, to make it look like you haven't been attacked. It just occurred to
me that one could store a second copy of that program in a location where
the attacker wouldn't look, so you can make sure the actual md5sum is valid
before it makes sure everything else is valid. This could even be done
from an unprivileged users's crontab, to obscure it even more.
At 02:26 PM 8/5/01 +0200, Ake Brannstrom wrote:
>If you have checksums of all your binaries you could possibly skip step 6. I
>use a software called tripwire to check the integrity of my binaries and
>files.
--------------------------------------------------------------------------
Ted Behling, Web Application Developer - Monarch Information Systems, Inc.
43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894 Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.MonarchIS.net
--------------------------------------------------------------------------