[vox-tech] possible rooted system / checking md5sum on debian
Rick Moen
vox-tech@lists.lugod.org
Sun, 6 Oct 2002 14:29:11 -0700
Quoting Ken Bloom (kabloom@ucdavis.edu):
> What I got out of this document applies especially when a package mirror
> has been rooted. If the person who rooted chose to put trojaned binaries
> in the mirror itself (for unsuspecting debian users to download) then
> the only real way to ensure that your system is still safe is not to
> `apt-get dist-upgrade` from that mirror.
Mirrors divide into official mirrors and unofficial mirrors. Official
mirrors (listed as such at http:/www.debian.org/ ) in theory benefit
from greater scrutiny, including ensuring that the nightly rsync
mirroring script really does run. _If_ it does run, then any trojaned
packages inserted by the intruder gets auto-deleted within that 24-hour
span.
A compromise of ftp-master.debian.org would be more serious, affecting
all downstream mirrors.
> Now supposing you already did do an apt-get dist-upgrade that may get
> you in trouble. Here's how to check whether you're OK. Recall the
> packages that were updated in your last few dist-upgrades. (For me this
> included coreutils, shellutils, textutils, and fileutils last night,
> which seem like particularly important packages on a system.) Remember
> that debian only upgrades packages if the ones on the mirror have a
> higher version number. So run dpkg -l on any packages you're suspicious
> about.
Imagine Mr. Evil Intruder and have compromised the Debian package mirror
you use. Among the packages I trojan and replace in the mirror
collection is an EvilCo variant version of dpkg.
Now, what tool were you saying you were going to use to check? Oops.
It's not an easy problem. Not on any other Linux distribution, either.
--
Cheers, "Open your present...."
Rick Moen "No, you open your present...."
rick@linuxmafia.com Kaczinski Christmas.
-- Unabomber Haiku Contest, CyberLaw mailing list