Business case for switching to Linux

Walter Dnes waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org
Sun Apr 9 11:06:06 UTC 2006


On Fri, Apr 07, 2006 at 12:52:24AM -0400, John Van Ostrand wrote

> Since most rootkits replace the same binaries the procedure could be as
> simple as:
> 
> chattr -ias /bin/* /sbin/* /usr/sbin/* /usr/bin/* /etc/*

  And what's to prevent a rootkit from issuing a chattr command to
unprotect those files?

> rpm -ivh --noscripts --force procps... psutils... findutils... etc. etc.

  *ASSUMING*, of course, that the RPM and psutils and findutils binaries,
themselves, haven't been compromised by a rootkit, or that the rootkit
hasn't patched the kernel to hide bad files/processes from these utils.

> A quick ps check will show the nasty the processes. A find using the
> date stamp of the worm executable will locate other files. A removal of
> the worm exe will prevent it from starting even if you don't check for
> startup code (inittab, cron, profile, etc.)

  This may work against amateur skript-kiddie level worms.  A rootkit
written for the Russian Mob is likely to be much more difficult to
remove without re-imaging.  "RRU" (Re-partition, Re-install, and Update)
is still the best advice.

-- 
Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list