Rootkit

[Manuel Arostegui Ramirez]

El Domingo, 21 de Octubre de 2007 01:38, John Summerfield escribió:
>
> I've seen one that didn't do what they installer intended (it tried to
> email its IP address to someone, but assumed eth0 was the interface to
> the world. it was, but had a private IP address on it.
>
> It also installed binaries that caused the system to crash, and that
> alerted me (and ensured that even if the intruder found it, he'd not be
> able to use it).

Even when I run chkrootkit I don't feel safe cause if you're system has been 
owned, are you sure you can trust the results the anti rootkit is reporting 
you?
>From my point of view, if you got a rootkit the best thing you can do it, 
firstly, figure out how you got hacked and then just re-install the system, 
otherwise, the system is not going to be truly reliable anymore.

Sometimes it's also a good idea to have the "strings" command in mind when you 
think you have been hacked, string ls string reboot and string some other 
important commands is usually a good start (bearing in mind that string could 
have been replace, hence we're in the same loop again) :-)

>
> On another system, a kit penetrated a user account (the boss's wife's),
> couldn't crack the kernel, though it had tools to test known sploits,
> installed an IRC bot and proceeded to scan the Internet for vulnerable
> systems.

It reminds me when I was working with some AIX and we got a visitor who 
uploaded linux exploits and tried to run them forever, I'd pay to see his 
face saying something..."why these damn exploits are not running in this 
system, they run perfectly on my linux box..."

All the best
Manuel.

-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.