[ale] Linux Distributions

Jason Day jasonday at worldnet.att.net
Tue May 17 23:26:08 EDT 2005


On Tue, May 17, 2005 at 08:38:23PM -0400, Jim Popovitch wrote:
>    -a remote-control non-root daemon that can't be hidden. This all
> depends as well upon who is looking for it and what host permissions
> they have (this is a non-root discussion after all)
> 
>    -"a remote-control program that is installed and runs as root as part
> of a trojan"  What are the parameters under which it is installed?  What
> if /usr/src and /boot, etc are all chattr +i or mounted ro?

Here's the point I'm trying to make.  Let's assume that you start with a
clean system, and that you are somehow tricked into executing a trojan.
These seem like reasonable assumptions.  The trojan wants to install a
rootkit and a remote-control daemon.  If you execute the trojan as root,
you're hosed.  If the trojan is written well enough, it can execute
chattr -i and mount -o remount,rw before it replaces the system files.
Game over.

If, on the other hand, you execute the trojan as an ordinary user, then
it won't be able to run chattr or mount.  It won't be able to replace
any system files.  It won't be able to install any kernel modules.  At
most, it can start the remote-control process, but it can't hide it.
Such a process can easily be detected by ps and/or netstat.

> Yes.  Are you familiar with chkrootkit, it can identify *known*
> rootkits (of course that leaves you with the unknown user-based
> malware).  Can they be cleaned sure, at least to some extent.  Is it
> worth burning the box, possibly, but not always.

Chkrootkit won't help you against a sufficiently smart rootkit, unless
you boot from a knoppix-like CD and run it from there.

> > What if the software that you run has been replaced or disabled by
> > the rootkit?  What if netstat, ps, lsof, and other system tools have
> > been replaced?  What if a kernel module that intercepts syscalls in
> > order to hide a malicious process has been installed?
> 
> Time to re-install.  How is this different if you run as root all the
> time vs running as a user?   Rootkits can be installed without someone
> operating as "root" all the time.

Well no kidding; if you know you're infected to such a degree then of
course you know it's time to re-install.  But how do you know?  Are you
rebooting with a CD and running chkrootkit periodically?

Of course rootkits can be installed without running as root all the
time.  I never claimed otherwise.  But you are more vulnerable to
trojans if you run everything as root.

> > > > As I said before, a linux box connected to the internet with an
> > > > always-on connection like DSL or cable, is, for all intents and
> > > > purposes, a server.  
> > > 
> > > No it's not.
> > 
> > Nice argument.  Care to elaborate?
> 
> Sure.  There are a TON of linux appliances.  Linux firewalls,
> gateways, DSL routers, SetTop boxes, etc.  All on very high speed
> networks.

All of those, with the possible exception of SetTop boxes, act as a
server in some capacity.  The speed of the network has no relevance
whatsoever.

> > As far as I can tell, two people are making a claim that defies
> > common wisdom, and the rest of us are trying to refute the claim.  
> 
> Claims shmains... where's the beef?

What does that mean?  You're the one claiming that it's perfectly safe
to run as root all the time, are you not?

> I'm a troll because I make counter claims and ask for evidence?  Nice.

Of course not.  You're a troll because you make inflammatory comments
designed to evoke an emotional response from a large portion of the
audience, in the hopes of generating flamewars.  Like this, for example:
http://ike.room17.com/pipermail/ale/2004-November/015855.html

Just to set the record straight, I don't consider any of your posts in
this little conversation we're having as trolling.  However, the fact
that you would post a message to a LUG mailing list claiming that
running everything as root is perfectly safe is a little suspicious.
And the fact that you're continuing to argue with me over this after you
agreed with Jerald earlier would seem to indicate that you're just being
argumentative.
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9



More information about the Ale mailing list