[NCLUG] how was I hacked?
Kevin Fenzi
kevin at scrye.com
Sun Jun 1 15:57:58 MDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "jbass" == jbass <jbass at dmsd.com> writes:
jbass> Two notes on recient script kiddies technology. First, two of
jbass> the last three hacked machines I picked apart had the root kit
jbass> net installed via RPM as an update, so an RPM -Va scan didn't
jbass> trigger. Second, some are also deleting rpm in their cleanup as
jbass> well, which might be the only visible sign of being rooted.
Yeah, security is a moving target. Once the good guys find something
that works, the bad guys come up with a countermeasure.
It used to be that the rootkits never messed with the rpm database,
but it's becoming more common now, I suspect because people started
depending on 'rpm -Va' to tell them what was tampered with.
jbass> I would like a tar file of the tool kit files and kernel
jbass> modules attacked in this round .... moving the sniffer and back
jbass> door into kernel modules (guess on my part) is certainly the
jbass> next round in root kits as they can leave the filesystem clean
jbass> for tripwire with only the running kernel memory compromised.
This I have already seen. ;(
The rootkit module loads, and then you can't trust your kernel at
all. :( ps doesn't show the intruders processes because it doesn't
even see that data from the kernel, etc...
This is a good reason to take the compromised drive off the machine
and boot it on a known good install to inspect it.
Of course for most people it's usually just easier to re-install it
than examine close up what the attacker did.
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQE+2nbo3imCezTjY0ERAgOSAJ9NS68Z8Ve6/2jsXpzywjlRT0ygzgCgiHFS
khnqxKYeVlNUyAcUgagX82U=
=xGhr
-----END PGP SIGNATURE-----
More information about the NCLUG
mailing list