Section 19.9 Altered Monitoring Programs | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

19.9 Altered Monitoring Programs

Any talented cracker will alter your ps, ls, who, and other trusted programs that you would use, so that these programs do not show his intrusions. This is not unusual at all. It is suggested that you keep copies of these basic programs buried in an obscure directory to be used in this event. This is discussed in "Advanced Preparation" on page 547.

Understand you could be in "the house of mirrors," not knowing which programs, files, or even kernel system calls are real and which have been altered by the cracker.

It is possible that a cracker could have altered sum or md5sum so you cannot even be sure that your backup copy of ls really is untouched. It is theoretically possible for mount and the kernel to be altered so that even if you mount a Read/Only floppy with trusted tools, you might not be able to trust them. Using any existing programs on a system where root may have been compromised should be limited to trying to detect what cracker tools might be running at that moment. The only reason even for doing this is that there might not be copies of the running executables on disk. See "Regaining Control of Your System" on page 671 for details on this.

Top