[lug] R00tKIT!! Raah!

rm at fabula.de rm at fabula.de
Thu Jun 16 09:12:09 MDT 2005

On Thu, Jun 16, 2005 at 09:00:51AM -0600, Bear Giles wrote:
> Nate Duehr wrote:
> >Grabbing a statically-linked shell like sash for this type of event 
> >after booting from something like a live-CD to keep from using ANYTHING 
> >on the compromised system, and not running anything until all it's 
> >dependencies are met with known NEW libraries, etc... is usually a good 
> >step.
> I've pre-recompiled the core tools to use static libraries.  You 
> don't need many packages for good coverage - under the old debian 
> stable I had
>   bash
>   binutils
>   chkrootkit
>   fileutils
>   gawk
>   grep
>   net-tools
>   procps
>   sed
>   shellutils
>   tar
>   tcsh
>   textutils
> and you're right it's a good idea to add dpkg and apt, especially 
> since the former is where md5sum hides.  'lsof' is another good 
> package to put on this list.

You'll get a lot of these by just compiling BusyBox static. I'll routinely put a
statically linked BusyBox in my initrds -just in case. The whole thing is so
small that it fits nicely on a small (bussiness card) CD. 

 Cheers Ralf Mattes
> Bear
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list