Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

RE: strings in backdoor binaries

From: ken () wellconnected com (Kenneth Simpson)
Date: Sun, 30 Apr 2000 13:06:27 -0700 (PDT)

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Hi - actually, tripewire *IS* commerical software - see 

        http://www.tripewire.com
        
You might want to ask them your question (it's not clear I 
understand your question.)
        
And spending money may give you a warm fuzzy feeling but it's 
security based on obscurity. 

Second, we've been hacked twice and both times the sniffer and 
the backdoor daemon were placed in the directory 

        ... 
        
in /var/spool/lp - directories typically not checked by tripewire
or aide because of the noise it would generate.

Detecting trojan horses is only a small part of any security policy - 
and just about any *simple* minded scheme will work for gathering 
digital signatures on critical system binaries provided it's implemented
in a secure manner. 

-- Ken

========================================================================
Kenneth Simpson                          Well Connected Computing, Inc.
Email: ken () wellconnected com             1001 Bridgeway
URL:   http://wellconnected.com/         Suite 630
Voice: +1.415.332.5018                   Sausalito, CA 94965
FAX:   +1.415.331.1668                   USA, Earth
========================================================================
Previous By Date Next
Previous By Thread Next

Current thread: