[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <37de4bc0705211745i1813ea81l24c6c47f655948be@mail.gmail.com>
Date: Tue, 22 May 2007 10:45:37 +1000
From: "gary sweet" <gary.sweet.11@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux big bang theory....
Hey Quendo,
Can you whip out your copy of sed/awk unleashed and write me up
something that automatically stabs my fucken eyes out every time you
post?
Serious I've written better code just from wiping up spilt seed off my
keyboard that time I left notepad open while watching tranny pron.
Thanks,
Gaz
On 5/22/07, J. Oquendo <sil@...iltrated.net> wrote:
> Vincent Archer wrote:
> > On Sun, 2007-05-13 at 23:07 -0700, Andrew Farmer wrote:
> >
> >> This script really doesn't prove anything, though. All it shows is
> >> that a compromised machine can be difficult to impossible to clean
> >> properly - which has been known for a *long* time. Ken Thompson
> >> discussed a much cleverer one in "Trusting Trust". It's also worth
> >> noting that this is in no way specific to UNIX systems. It's simply
> >> an unalterable fact that, once an attacker has had full access to the
> >> machine, it's possible for them to make changes which will allow them
> >> reentry at a later date.
> >>
> >
> > I don't have (and I doubt anybody around here can) the proof to make
> > this a theorem, but it is a good postulate:
> >
> > - It is impossible to prove the integrity of a computing system from
> > within the same system.
> >
> > In olden days, this created the fundamental rules for systems like
> > Tripwire: place the signatures on non-alterable storage, run tripwire in
> > single user mode (ahh, the naive assumption that single user mode would
> > be safe enough).
> >
> > Today, the preferred method of checking the integrity of a system
> > involves virtualisation of said system, and verification from the
> > hosting component of the hosted one. Or the hammer approach of erasing
> > the state of the system after use, and rolling it back to a "proven"
> > safe and stable one.
> >
> >
> I've added a function to hide the script from showing up on Samhain
> awk -vfilename=$filename '{print "perl -pi -e
> '\''s/'$filename'/samhain/g'\''"}' /var/log/samhain_log|sh
>
> What is does when run now is look for the instance of its name (the
> backdoor's name) and rename it to Samhain. So if the file created
> is called foo.h and Samhain logs it, it will go and rename foo.h
> in the logs to Samhain. Tripwire is no difference unless both logs
> are kept offline. On a side note, I started tinkering with a triple
> threat mechanism of checksums: (SHA1 + MD5 + RIPE160)
>
> http://www.infiltrated.net/scripts/saki.html
>
> Just don't know if I want to devote time to doing a full blown
> program. It works as is, but does nothing more than checksum
> whatever is in my current path of which later I can do a diff
> etc.
>
> --
> ====================================================
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> echo infiltrated.net|sed 's/^/sil@/g'
>
> "Wise men talk because they have something to say;
> fools, because they have to say something." -- Plato
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists