Vincent Archer wrote:
On Sun, 2007-05-13 at 23:07 -0700, Andrew Farmer wrote:
This script really doesn't prove anything, though. All it shows is
that a compromised machine can be difficult to impossible to clean
properly - which has been known for a *long* time. Ken Thompson
discussed a much cleverer one in "Trusting Trust". It's also worth
noting that this is in no way specific to UNIX systems. It's simply
an unalterable fact that, once an attacker has had full access to the
machine, it's possible for them to make changes which will allow them
reentry at a later date.
I don't have (and I doubt anybody around here can) the proof to make
this a theorem, but it is a good postulate:
- It is impossible to prove the integrity of a computing system from
within the same system.
In olden days, this created the fundamental rules for systems like
Tripwire: place the signatures on non-alterable storage, run tripwire in
single user mode (ahh, the naive assumption that single user mode would
be safe enough).
Today, the preferred method of checking the integrity of a system
involves virtualisation of said system, and verification from the
hosting component of the hosted one. Or the hammer approach of erasing
the state of the system after use, and rolling it back to a "proven"
safe and stable one.
I've added a function to hide the script from showing up on Samhain
awk -vfilename=$filename '{print "perl -pi -e
'\''s/'$filename'/samhain/g'\''"}' /var/log/samhain_log|sh
What is does when run now is look for the instance of its name (the
backdoor's name) and rename it to Samhain. So if the file created
is called foo.h and Samhain logs it, it will go and rename foo.h
in the logs to Samhain. Tripwire is no difference unless both logs
are kept offline. On a side note, I started tinkering with a triple
threat mechanism of checksums: (SHA1 + MD5 + RIPE160)
http://www.infiltrated.net/scripts/saki.html
Just don't know if I want to devote time to doing a full blown
program. It works as is, but does nothing more than checksum
whatever is in my current path of which later I can do a diff
etc.
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
