Trojan Found

D. Joe kclug at etrumeus.com
Tue Mar 1 17:35:21 CST 2005 

On Sun, Feb 27, 2005 at 09:28:36PM -0600, Don Erickson wrote:
> 
> I'm just saying what I would do if it were my box.  I wouldn't base any
> decision as to the integrity of the box on the output of the utilites on
> the box itself.

Bingo.

I understand and appreciate the value of the hash information,
both from the rpm database and from tripwire.

What neither covers (well, maybe tripwire would, I don't know, I
guess it depends on how it's used) are changes to files that
have been *added*.  ie, you might be able to track changes in ls
or ps or other known system binaries, but if an executable file
were added elsewhere to the filesystem, would you know it just
by looking at a list of checksums of known files?  You wouldn't,
because you wouldn't have a checksum of its predecessor file. 
You'd have to have a completely comprehensive look at *all*
files, and the rpm verify doesn't give that.

So, have you looked for files set to be executable elsewhere in
the filesystem, especially files owned by root or most
especially files setuid root hidden in some out of the way
directory?  maybe you have, I don't recall reading that, though.

And I feel your pain about the lack of control you have over the
cgi on the box, but a cgi program that gives user-level
executable access to a setuid-root binary is all it would take.

I've started to put cgi behind proxies to try to give myself
another layer between me and the bad guys.  

Oh, and about booting the thing into KNOPPIX, why not?  Mail the
guys a CD and tell 'em to stick it in and fire it up.  If they
aren't up to configuring the network themselves, write yourself
a script to do it and put it on the disk (from the
knoppix-cheatcodes.txt file):

   From Version 2.1 and up, a file called "knoppix.sh", if
   located in the toplevel KNOPPIX directory on CD, will also be
   executed at startup. This makes ist easier to create
   customized versions without having to change anything on the
   compressed filesystem KNOPPIX/KNOPPIX.

Put a copy of (one of) your ssh public key(s) on there and
you're all set.

-- 
D. Joe Anderson        http://www.etrumeus.com/~deejoe
deejoe at raccoon.com     deejoe at etrumeus.com
You're free. Now go help the others.

More information about the Kclug mailing list