15. Statically-Linked Binaries on a CD-R

On any machine which has likely been hacked, the installed utilities such as ls, ps, top, netstat, ifconfig, stat, fuser, find, lsof... should not be trusted: executables, or shared-object libraries on which they depend could easily have been trojanned. So statically-linked utilities from a mounted CD-R should always be used.

In fact, if system-calls are being intercepted/wrapped by an installed rootkit, then even this paranoia is not sufficient — in this case it is necessary to boot from clean media, but its a good start, especialy if one is able to fingerprint system calls or otherwise check the kernel and rebooting your machine (server?) is not an option for a while.

To build statically-linked binaries you'll need the source:


ftp.gnu.org/pub/gnu/bash /bin bash


ftp.gnu.org/pub/gnu/coreutils /bin cat, dd, df, echo, ls, pwd,
/usr/bin du, stat, users, who


ftp.gnu.org/pub/gnu/procps /bin kill, ps
/usr/bin free, pgrep, pkill, top, vmstat


freshmeat.net/projects/net-tools /bin hostname, netstat
/sbin ifconfig, route
/usr/sbin arp, rarp


ftp.gnu.org/pub/gnu/findutils /usr/bin find, locate, xargs


ftp.gnu.org/pub/gnu/acct /usr/bin last

...previousup (conts)next...



About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple