Focus on Linux
Re: Write-protect sctors? Aug 29 2006 12:02AM
scott (redhowlingwolves bellsouth net) (1 replies)
Re: Write-protect sctors? Aug 29 2006 12:14AM
scott (redhowlingwolves bellsouth net) (1 replies)
Re: Write-protect sctors? Aug 30 2006 01:56PM
Andreas Ferrari (aferrari stasoft ch) (1 replies)
Hi scott

Hav you checked your disk?
You can simply do that by booting from a Knoppix CD or something similar
and the just dd the whole disk to /dev/null.
If there is a read error dd wil report it and will abort, if that
happens its better to buy a new disk.

a simple example: dd if=/dev/xdX of=/dev/null
Note: replace xdX wiht your disk


Andreas Ferrari

scott schrieb:
> scott wrote:
>> Bill Church wrote:
>>> It sounds very crazy. Did you ever actually identify if there was a
>>> rootkit installed? Did you try booting to a live CD of another
>>> distribution and investigating the disks from that live CD?
>>> Remember that partitioning does modify the existing data on the disk,
>>> just the partition table, unless you chose to do a full format that
>>> data is still there. However, the chances of it actually being able
>>> to effect anything that's not directly referencing that data by
>>> executing it seems improbable. I wouldn't think that simply copying a
>>> file over that location couldn't spawn a process, of course nothing
>>> is impossible.
>>> There is a BIOS function that is supposed to protect the boot sector,
>>> it's usually disabled by default on most systems. I imagine it would
>>> be possible for someone to modify the CMOS and protect any sectors
>>> they wish, but the attacker would undoubtedly need to have advanced
>>> knowledge of your system, BIOS, hard disk and geometry to make this
>>> attack possible. I highly doubt this is the case.
>>> It sounds like you may have a defective hard disk, I would try a disk
>>> diagnostic first, or maybe attempt to install another OS or
>>> distribution.
>>> -Bill
>>> ----- Original Message -----
>>> From: scott Sent: Mon, 8/28/2006 11:23am
>>> To: focus-linux (at) securityfocus (dot) com [email concealed]
>>> Subject: Write-protect sctors?
>>> I had a probable rootkit in ubuntu dapper that proved to be more
>>> persistent than I thought possible.I did rkhunter and showed some
>>> anomalies in /dev/...Trying to track those dir's down proved
>>> elusive,even with root enabled(in ubuntu,root is disabled by
>>> default.You can still sudo, but no su without certain switches,)the
>>> dir's effectively hid from my view.
>>> So I decided to reinstall a clean slate.This is when I encounter
>>> problems that don't make sense.
>>> As the install progresses to the partitioning of the disc,I opt for
>>> the erase whole disc option.It progresses to a certain point and then
>>> quits with an error..repeatedly.
>>> I filed a bug report with launchpad,but my question is this:Can any
>>> malware you are aware of write-protect certain segments of a
>>> HD,without BIOS support?Or is there a BIOS trojan that I'm not aware
>>> of in Linux?Is this even possible with a hardened system?
>>> Is this even possible in any system,Windows included?
>>> What I.m asking is : Can any malware write-protect sectors on a HD
>>> that survive repartioning?
>>> Sounds really crazy,huh?
>>> Thanks,Scott
>> It was a problem in ubiquity, in that it never resolved to a mount
>> point when installing.
>> But my point is that I eventually got the same install cd to actually
>> install.Now if something was trying to protect itself,only after many
>> attempted overwrites did I succeed,that would
>> seem...Almost...logical,..Maybe.!?
>> The hard drive is fine,as far functioning,anyway.
>> I also know that you have to have (presumably,)BIOS access to write-
>> protect sectors of a HD.
>> Didn't Joanna Rutkowska demonstrate a BIOS virus,or POC,at one
>> time?Not likely,or probable,that this was my problem,but could it be
>> done....theoretically?Especially in a `nix environment?
>> I think not.But I have been wrong so many times in my life,that I like
>> to think anything is possible.
>> If ya want to do it bad enough,at least.
>> Any other thoughts on this matter?
>> Regards,Scott
> Hi again.
> I also know that BIOS is ROM,not RAM.
> Therefore,it seems that I would have to do a BIOS flash for this to happen?
> Regards...again,and thanks,Scott

P: +41 61 726 80 70
F: +41 61 726 80 79

[ reply ]
Re: Write-protect sctors? Aug 30 2006 07:56PM
Walter Lamagna (wlamagna tenroses com ar)


Privacy Statement
Copyright 2010, SecurityFocus