Re: Checking for rootkits

[Matt Zimmerman <mdz () csh rit edu>]

On Fri, Feb 22, 2002 at 05:55:24PM -0500, Jason Dixon wrote:

> md5sum chkrootkit >> /etc/chkrootkit.md5
> [run the same command for each binary;  command is 'md5' in *BSD]
>
> chattr +i /etc/chkrootkit.md5   [Linux]
> chflags schg /etc/chkrootkit.md5   [*BSD]
>
> To automate these utilities, I've setup a cron job to execute a perl script 
> I've created which first authenticates our stored md5 digests against the 
> current md5 values.

There is little point in going to so much trouble to protect
/etc/chkrootkit.md5 when an attacker could simply subvert your cron job, the
script, the MD5 module, perl, the shell, or even the kernel.  You must not
use components from an untrusted system in order to perform validation of
the system.

One way to perform a trusted validation would be to boot the system from
read-only, known good media, and check the system against a database.  Both
the database and the tools used to verify it must also reside on read-only,
known good media.  This kind of procedure is also best performed while the
system is disconnected from the network.

-- 
 - mdz

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com