19.9 Altered Monitoring ProgramsAny talented cracker will alter your ps, ls, who, and other trusted programs that you would use, so that these programs do not show his intrusions. This is not unusual at all. It is suggested that you keep copies of these basic programs buried in an obscure directory to be used in this event. This is discussed in "Advanced Preparation" on page 547.
It is possible that a cracker could have altered sum or md5sum so you cannot even be sure that your backup copy of ls really is untouched. It is theoretically possible for mount and the kernel to be altered so that even if you mount a Read/Only floppy with trusted tools, you might not be able to trust them. Using any existing programs on a system where root may have been compromised should be limited to trying to detect what cracker tools might be running at that moment. The only reason even for doing this is that there might not be copies of the running executables on disk. See "Regaining Control of Your System" on page 671 for details on this. |
Top |