Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Seth Arnold (sarnold_at_wirex.com)
Date: Fri Jan 17 2003 - 14:46:19 CST
On Wed, Jan 15, 2003 at 11:47:37PM +0100, Hugo van der Kooij wrote:
> > I'm trying to build a CD that has all the binaries and libraries
> > needed to run chkrootkit on it (so I can be more confident that
> This actually sound like you run dynamic libraries from the suspect
> system. Which means the CD is useless.
> ANYTHING on the CD should be able to run on it's own. So you need static
> tools for just about everything or make sure dynamic loading occurs from
> the CD only.
> I suggest you make the CD bootable and only mount partitions from a
> suspected system into this Read-Only system.
Hugo, part of the problem is that chkrootkit is designed to be run from
a compromised system and try to discover inconsistencies in the rootkits
that have been installed on said compromised system. It doesn't work
nearly so well to boot to known good media to discover this. :)
So, I had written a response very similar to yours before deciding that
in fact, making the CD bootable probably isn't what is desired out of
this tool. :)
What _is_ happening is that the loader from the 7.3 system is being used
to try to load binaries from the 8.0 system, with the resulting
incompatibilities. Providing the 8.0 loader (/lib/ld-* stuff) on the CD
will allow the native 8.0 loader to be used -- with the caveat that
executing the loader through any running shell on the system may be
using rootkitted execve() syscalls, currently-linked-in glibc (which may
be rootkitted), etc.
You're right in that making it a bootable CD is the only way to trust
its results. The downside is that the tool relies on running in an
unsafe context and hoping to catch the sleight of hand in the act,
red-handed, as it were.
: the linker can be executed directly:
$ /lib/ld-linux.so.2 /bin/echo "hello world"
-- United States of America, n: The finest plutocracy on the planet!
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj4oa5oACgkQ+9nuM9mwoJl2awCfYypcxaPcoa+QH3J3k0+2Sh7P bgoAniECGUVlz/XiBRg6CvdJMgHLLeRw =4WAn -----END PGP SIGNATURE-----