Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
September 20, 2010, 3:23 pm
rate this thread
I am in the safe now (installed patched kernel) but one thing I still
wonder. I also installed TripWire during my first install (a couple of
month ago). Now, doesn't TripWire protect me from people getting root
I am quite a noob when it comes to security, and I only have my home
aptosid-box to protect, so that is`n really critical :-)
Just wanted to know.
Thanks (for not flaming) in advance!
Re: noob question about the CVE-2010-3081 exploit
On Mon, 20 Sep 2010 20:19:33 +0000, firstname.lastname@example.org wrote:
As you stated the question, yes. TripWire can tell you when any file/directory
it has been told to monitor changes.
In the context of this discussion, there are two types of rootkits.
One is where the rootkit runs only in memory. Tripwire will not see it
because it is not found on the disk. You reboot the system and the
rootkit disappears. The other type would be on the disk and could only
hide from tripwire if tripwire does not scan the directory where it resides.
A poor analogy, follows. I think you are viewing tripwire as a burglar
alarm when in reality it is a smoke detector.
IF it smells smoke, it goes off. No smoke, no alarm. Was/is there a fire?
Could be. :(
You have to understand how tripwire works. It builds a database of
file names based on where you told it to scan/watch. If files are
added/deleted/changed then tripwire reports it.
Where would the cracker put malware? Anywhere you told tripwire not to
What a real rootkit does becomes the real question. If the
person/malware gets into you system, the possibility exists that it
might make enough changes to sneak by you. Example, take shapshot of
logs, insert rootkit, install backdoor(s), tell tripwire to rebuild
database to pick up added/changed files, restore snapshot of logs to
hide malware activity and hope you miss any tripwire complaint about a
log file goes unnoticed by you.
Expand your mind, read 4'th paragraph at
- » INVITE: Security Conference (October 2, Bangalore)
- — Previous thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security