[NCLUG] how was I hacked?

[jbass at dmsd.com]

Michael Milligan <milli at acmeps.com> writes:
> Even in this case, tripwire still would have been effective since the ps 
> command (and others) had been modified.  It was actually a rather sloppy 
> rooting job IMHO.  ;-)  LKM attacks, like you said, can be done without 
> touching any sensitive areas of the file system.  Unfortunately, a 
> reboot will kill it too, at least, I can't think of a way for the kit to 
> become active upon reboot without having compromised something on the 
> file system.

Only to the extent that the root kit needs to use user processes to do it's
dirty work. In short, with a hook in the networking stack at run time, or
any other frequently executed kernel thread, a well debugged root kit can
easily do what it pleases, including closing the hole to other hackers till
the next reboot.

As for needing to reactivate on reboot, knowing the ip subnet of the KLM hacked
machine is enough for most cases, to simply poll and reinfect after the reboot,
even if assigned a different dhcp lease.

With all the other scanning traffic on static IP's who would know the difference,
especially for a "well connected" hacker, who might be able to coordinate dozens,
hundreds, or thousands of machines to poll the lost child at 30 second boundries.

> This experience prompted me to keep a fresh, bootable Debian 
> install/rescue CD handy just in case something like this ever hits me 
> (fingers crossed).  All the forensic sites will tell you to have a "jump 
> disk" available to boot from so you can examine the system and/or take a 
> snapshot for use in court when you sue the pants off some hacker...

Which is why a pure KLM attack is certainly attractive.

John