[NCLUG] openssh

John L. Bass jbass at dmsd.com
Tue Jan 15 12:26:29 MST 2002


	The really good root kits will alter /proc, but it's a nice way to verify
	what ps says if something seems amiss...

I generally "notice" the attack from the irc traffic used to control the bots, and when
netstat doesn't show the process ... mount/ftp clean binaries

one thing that has been very anoying is the root kits that change the filesystem
permissions to prevent renaming/removal of the trojan binaries ... any clue on how to
undo that besides wiping the filesystem and restoring it?

I'm not even sure what the filesystem semantic is that they use to do it with, it's not
POSIX at all.

John



More information about the NCLUG mailing list