l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Oct 06 18:11

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] possible rooted system / checking md5sum on debian
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] possible rooted system / checking md5sum on debian

Quoting Ken Bloom (kabloom@ucdavis.edu):

> What I got out of this document applies especially when a package mirror
> has been rooted. If the person who rooted chose to put trojaned binaries
> in the mirror itself (for unsuspecting debian users to download) then
> the only real way to ensure that your system is still safe is not to
> `apt-get dist-upgrade` from that mirror. 

Mirrors divide into official mirrors and unofficial mirrors.  Official
mirrors (listed as such at http:/www.debian.org/ ) in theory benefit
from greater scrutiny, including ensuring that the nightly rsync
mirroring script really does run.  _If_ it does run, then any trojaned
packages inserted by the intruder gets auto-deleted within that 24-hour

A compromise of ftp-master.debian.org would be more serious, affecting
all downstream mirrors. 

> Now supposing you already did do an apt-get dist-upgrade that may get
> you in trouble. Here's how to check whether you're OK. Recall the
> packages that were updated in your last few dist-upgrades. (For me this
> included coreutils, shellutils, textutils, and fileutils last night,
> which seem like particularly important packages on a system.) Remember
> that debian only upgrades packages if the ones on the mirror have a
> higher version number. So run dpkg -l on any packages you're suspicious
> about.

Imagine Mr. Evil Intruder and have compromised the Debian package mirror
you use.  Among the packages I trojan and replace in the mirror
collection is an EvilCo variant version of dpkg.

Now, what tool were you saying you were going to use to check?  Oops.

It's not an easy problem.  Not on any other Linux distribution, either.

Cheers,                              "Open your present...."
Rick Moen                            "No, you open your present...."
rick@linuxmafia.com                  Kaczinski Christmas.
               --  Unabomber Haiku Contest, CyberLaw mailing list
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.