[NCLUG] openssh
John L. Bass
jbass at dmsd.com
Tue Jan 15 12:26:29 MST 2002
The really good root kits will alter /proc, but it's a nice way to verify
what ps says if something seems amiss...
I generally "notice" the attack from the irc traffic used to control the bots, and when
netstat doesn't show the process ... mount/ftp clean binaries
one thing that has been very anoying is the root kits that change the filesystem
permissions to prevent renaming/removal of the trojan binaries ... any clue on how to
undo that besides wiping the filesystem and restoring it?
I'm not even sure what the filesystem semantic is that they use to do it with, it's not
POSIX at all.
John
More information about the NCLUG
mailing list