From owner-freebsd-security Tue May 29 16:56: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.arch.bellsouth.net (ns1.arch.bellsouth.net [205.152.173.2]) by hub.freebsd.org (Postfix) with ESMTP id D36C237B422 for ; Tue, 29 May 2001 16:56:02 -0700 (PDT) (envelope-from ck@ns1.arch.bellsouth.net) Received: (from ck@localhost) by ns1.arch.bellsouth.net (goaway/goaway) id f4TNtPk18792; Tue, 29 May 2001 19:55:25 -0400 (EDT) Date: Tue, 29 May 2001 19:55:25 -0400 From: Christian Kuhtz To: Bigby Findrake Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit Message-ID: <20010529195525.D24763@ns1.arch.bellsouth.net> References: <20010529134040.R98104-100000@awww.jeah.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Bigby Findrake on Tue, May 29, 2001 at 03:34:29PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, May 29, 2001 at 03:34:29PM -0700, Bigby Findrake wrote: > On Tue, 29 May 2001, Chris Byrnes wrote: > > > That's not a wise request on a list like this. Backup, format and > > reinstall. > > Why not? Surely you're not suggesting that a rootkit is a bad thing, or > that no one here would help him find one - wouldn't that be rather silly > of us? What would be silly is for one of us to say "here's a rootkit" and then for him to go thinking if he cleans those files up or only those are affected, he's safe. Fact is, rootkits come in many flavors. To think that they're all the same or to deduct from one specific rootkit anything which in turn is deemed to be definitively applicable to every other rootkit is a very naive and dangerous proposition. The best way to clean the mess up is to analyze the situation and take the safe route (which may include removing the network connection etc; and there are some rootkits which go into self destruct mode when you do so). If you think for one second that you've been compromised, IMHO, it's best to err on the side of safety... My point is that the fundamental approach is not only wrong, but dangerous for other reasons than simply 'distribution of rootkits'. There are probably other points to be made here, but these are the ones that come in mind first and kill the whole idea as far as I'm concerned. > If we knew where one was, wouldn't it make the most sense to make > sure that anyone could get there hands on it? As I stated to you in private email, a rootkit is typically used as a fairly seriously offensive weapon in information warfare. Because we have a few maniacs in our society doesn't mean we arm everybody with automagic rifles, mortars and the like. But, that's beside the point when you consider the flawed fundamentals of the original poster's approach. Instead, it would've been more helpful if he had inquired as to what rootkits typically do and what sort of things to look for. In fact, if you can't figure out on your own if you have a rootkit, what in the world makes you think you can figure out exhaustively what it does when some hands it to you?? > Isn't that (among other > ways) how open software advances? Give me a break. ;) This has *NOTHING* to do with open software. Rootkits are not limited to open software and there's absolutely no definitive link between them. Because they happen to occur in the same place on occasion doesn't mean they're related. > I can't count the number of times I've > seen security people make the argument that everyone should own lockpicks. well, and there's probably at least as many people arguing the opposite. PS: I'm not defending either side in this thread, just adding my own $.03. Cheers, -- Christian Kuhtz -wk, -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only."" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message