lammer wrote: |
but what IF they patched /bin/ls and it checks if getuid() == 0 and sets 4755 on /tmp/.xxxx ?? HUH it means that u dont know which file on the system was patched, and there is no way to check it! |
Abybaby24 wrote: |
THIS IS AN AMAZING POST.
THANKX BRO. I RATE THIS POST AS ONE OF THE BEST IN SFDC. GOOD LUC, ABYBABY. |
ShaolinTiger wrote: |
8. Create your own, unique hidden directory and 'cp' files to it
that are essential to system maintenance like 'ls', 'netstat', 'route', 'ifconfig', 'ps', etc. (Should you be cracked again, God forbid, as long as you don't have a compromised kernel this will allow you to use these copies to "see" what a cracker may have done.) 8a. (Suggested by Andreas Braeutigam <abrae-at-freenet.de> 02-26-02) I'd rather store those copies on a separate system or a non-writeable medium. [like a CD-R, floppy diskette with write protect on, etc.] |
ShaolinTiger wrote: |
8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
[It] would be better if the program files you put into that hidden directory are statically compiled, and not using the possibly corrupted dynamic libraries. It also assumes that the kernel doesn't get messed with. _At this time_ these concerns are not big, but why not stay ahead? |
Quote: |
backup your data and restore from backup |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours