From owner-freebsd-security@FreeBSD.ORG Tue Dec 9 11:32:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DF6C16A4CE for ; Tue, 9 Dec 2003 11:32:02 -0800 (PST) Received: from web12605.mail.yahoo.com (web12605.mail.yahoo.com [216.136.173.228]) by mx1.FreeBSD.org (Postfix) with SMTP id 7592B43D1D for ; Tue, 9 Dec 2003 11:32:01 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20031209193201.1585.qmail@web12605.mail.yahoo.com> Received: from [128.226.68.47] by web12605.mail.yahoo.com via HTTP; Tue, 09 Dec 2003 11:32:01 PST Date: Tue, 9 Dec 2003 11:32:01 -0800 (PST) From: Dorin H To: Garrett Wollman In-Reply-To: <200312081646.hB8GkQIX035167@khavrinen.lcs.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 19:32:02 -0000 --- Garrett Wollman wrote: > < Marquis said: > > > Wouldn't effect tripwire. In addition to MD5 > you'd need to spoof > > snefru, crc32, crc16, md4, md2, sha, and haval, > and you''d have to > > spoof them for, at a minimum, the tripwire binary > and its database > > file(s). > > Trivial -- all you have to do is keep backup copies > of all the files > replaced, and have the kernel redirect tripwire's > access to the > originals. > > -GAWollman > Of course, once somebody modifies your kernel, you don't own the machine anymore . Boot a safe kernel:) /Dorin. __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/