noob question about the CVE-2010-3081 exploit

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hey all!

I am in the safe now (installed patched kernel) but one thing I still
wonder. I also installed TripWire during my first install (a couple of
month ago). Now, doesn't TripWire protect me from people getting root
I am quite a noob when it comes to security, and I only have my home
aptosid-box to protect, so that is`n really critical :-)

Just wanted to know.

Thanks (for not flaming) in advance!


Re: noob question about the CVE-2010-3081 exploit

On Mon, 20 Sep 2010 20:19:33 +0000, wrote:

Quoted text here. Click to load it

As you stated the question, yes. TripWire can tell you when any file/directory
it has been told to monitor changes.

Quoted text here. Click to load it

In the context of this discussion, there are two types of rootkits.
One is where the rootkit runs only in memory. Tripwire will not see it
because it is not found on the disk. You reboot the system and the
rootkit disappears. The other type would be on the disk and could only
hide from tripwire if tripwire does not scan the directory where it resides.

Quoted text here. Click to load it

A poor analogy, follows. I think you are viewing tripwire as a burglar
alarm when in reality it is a smoke detector.

IF it smells smoke, it goes off. No smoke, no alarm. Was/is there a fire?
Could be. :(

You have to understand how tripwire works. It builds a database of
file names based on where you told it to scan/watch. If files are
added/deleted/changed then tripwire reports it.

Where would the cracker put malware? Anywhere you told tripwire not to

What a real rootkit does becomes the real question. If the
person/malware gets into you system, the possibility exists that it
might make enough changes to sneak by you. Example, take shapshot of
logs, insert rootkit, install backdoor(s), tell tripwire to rebuild
database to pick up added/changed files, restore snapshot of logs to
hide malware activity and hope you miss any tripwire complaint about a
log file goes unnoticed by you.

Expand your mind, read 4'th paragraph at

Re: noob question about the CVE-2010-3081 exploit

On 09/20/2010 09:21 PM, Bit Twister wrote:
Quoted text here. Click to load it

I read your answer and the whole article (it was quite interesting) an I
think I got it.

Thanks a lot Bit Twister!

Site Timeline