15. Statically-Linked Binaries on a CD-R
On any machine which has likely been hacked, the installed utilities such
as ls, ps, top, netstat, ifconfig,
stat, fuser, find, lsof... should not be
trusted: executables, or shared-object libraries on which they depend
could easily have been trojanned. So statically-linked utilities from
a mounted CD-R should always be used.
In fact, if system-calls are being intercepted/wrapped by an installed
rootkit, then even this paranoia is not sufficient — in this case it
is necessary to boot from clean media, but its a good
start, especialy if one is able to
fingerprint system calls or
otherwise check the kernel and rebooting your machine (server?) is not
an option for a while.
To build statically-linked binaries you'll need the source:
About this document:
Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple