[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] How to Nail a hidden process.
- Subject: Re: [cobalt-users] How to Nail a hidden process.
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Sat Apr 20 11:43:01 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Date: Sat, 20 Apr 2002 09:17:45 -0700
> From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
> As Steve pointed out, if the hacker did a kernel hack, top, ps,
> etc., all become suspect. Imho, the best way to search for a
> root is to run the latest version of chkrootkit.
...and even that isn't foolproof. If kernel calls have been
intercepted, then all bets are off.
Chkrootkit is good if binaries have been trojaned. But if the
kernel has been modified, you're best booting off a known-good
drive. Then mount volumes from the suspect drive, and run
chkrootkit on that.
Hint: Let's say that I modify the kernel to act normal most of
the time, but to create any new process as root if the time is
1234Z. Binaries are normal and I have an easy backdoor. Yes,
it's beyond the abilities of the average "5|<r1pt |<1dd13", but
it is doable.
Chances are good that chkrootkit will turn up any sort of back
doors. But it's not definite. If truly worried, boot from a
known-clean volume. (Yes, it's an inconvience that involves
downtime.)
--
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.