21 Dec
2007
21 Dec
'07
10:15 a.m.
Brent,
I asked one of my colleagues who works in security and got the following
answer:
------------------------------------------------------------------------
It is useless to analyze the system using its own tools.
First he should analyze the system over the network to find any
additional “evil” services that would empower the hacker to connect to
the machine. This would still not find most modern root kits since they
connect from inside to some evil servers awaiting new commands. So he
should monitor the network connections the machine has to the outer
world, but again not on the machine itself but like on the perimeter
firewalls of the network.
Second he can analyze the system by booting it from an CD with some
forensic tools on. This way he can ensure that he isn’t using a
compromised kernel or other compromised programs for his analysis.
A good set of tools for internal and external analyzes can be found on
the BOSS CD from the German BSI.
http://www.bsi.de/produkte/boss/index.htm
Unfortunately the page is only in German.
------------------------------------------------------------------------
He also added that it is not normal to have different binary signatures
for the same software/hardware combinations. So, you probably have
something funky going on in the system.
Regards
Mike
Brent Frère wrote:
I have two servers based on the very same hardware.
They both run the very same distro (RH4), the very same kernel (uname
-r), and have the very same list of installed packages (rpm -qa)
However, numerous binaries, including /bin/ps, /bin/bash, /bin/ls, and
librairies do not match. They have
* the very same length
* the very same date
but they have different hashes, because they have different contents
(cmp fails)
The differences are inside, not at the end.
We searched for a rootkit, but didn't found any. The two different ps
commands, copied from one to the other, show the same result.
I tried rpm --verify. No probem. However, when replacing one binary by
the one coming from the other host, rpm --verify compains...
Is it normal to have differences in binaries on the same hardware, same
distro, same kernel and same packages ??? Is there a "signature" added
in some binaries ? Might the order of the installation cause such effect ?
The problem is that I have, at the same customer site, two other servers
that are exactly in the same situation, but running CentOS, and I have
the same strange beheaviour...
Does anybody has any suggestions, idea about this strange story ?
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help