From owner-freebsd-stable  Mon Jul 23  7: 4:20 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from smtpproxy1.mitre.org (mb-20-100.mitre.org [129.83.20.100])
	by hub.freebsd.org (Postfix) with ESMTP id A0EAE37B401
	for <freebsd-stable@freebsd.org>; Mon, 23 Jul 2001 07:04:15 -0700 (PDT)
	(envelope-from jandrese@mitre.org)
Received: from avsrv1.mitre.org (avsrv1.mitre.org [129.83.20.58])
	by smtpproxy1.mitre.org (8.11.3/8.11.3) with ESMTP id f6NE1kD09122;
	Mon, 23 Jul 2001 10:01:46 -0400 (EDT)
Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18])
	by smtpsrv1.mitre.org (8.11.3/8.11.3) with ESMTP id f6NE1gX20592;
	Mon, 23 Jul 2001 10:01:43 -0400 (EDT)
Received: from dhcp-105-164.mitre.org (128.29.105.164) by mailhub2.mitre.org with SMTP
        id 7238269; Mon, 23 Jul 2001 10:01:37 -0400
Message-ID: <3B5C2E44.2B7D7DF8@mitre.org>
Date: Mon, 23 Jul 2001 10:01:40 -0400
From: Jason Andresen <jandrese@mitre.org>
Organization: The MITRE Corporation
X-Mailer: Mozilla 4.75 [en]C-20000818M  (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Hoskins <mike@adept.org>
Cc: Tom <tom@uniserve.com>, "Chad R. Larson" <chad@dcfinc.com>,
	admin@kremilek.gyrec.cz, freebsd-stable@freebsd.org
Subject: Re: probably remote exploit
References: <Pine.BSF.4.21.0107201151110.17247-100000@snafu.adept.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Mike Hoskins wrote:
> 
> On Fri, 20 Jul 2001, Tom wrote:
> 
> >   But if a backdoor is installed, you can't trust cvsup, or make either.
> > Any binary could have been tampered with.  For instance, I would make a
> > backdoor make that would detect that an installworld is underway, and
> > always make sure that a backdoored copy of of "login" and another copy of
> > "make".
> 
> What?  Everyone can't just do a quick check against the saved tripwire
> checksums on CD-R?  ;)  Seriously.  While checksuming an entire system can
> be impractical, keeping checksums for a barebones set of administrative
> tools can be a lifesaver.

You need to boot off of the CDROM first, otherwise you might have an
evil
kernel module loaded that can send bogus data to your checksummer when
it
reads from the disk.  It's not quite as easy as just mounting the CD and
running the checksums. 

-- 
  \  |_ _|__ __|_ \ __| Jason Andresen        jandrese@mitre.org
 |\/ |  |    |    / _|  Network and Distributed Systems Engineer
_|  _|___|  _| _|_\___| Office: 703-883-7755


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message