Educause Security Discussion mailing list archives
Re: Rootkit discovery tools
From: Graham Toal <gtoal () UTPA EDU>
Date: Wed, 28 Jun 2006 13:36:06 -0500
On Tue, 27 Jun 2006 09:42:14 EDT, Caroline Couture said:How would do this kind of scan? Would you have the computer on the network and scan the ip with nmap or do something else sothe computeris not live on the network?I'd configure their port 'down' at the switch end of the cable, and then unplug the cat-5 at the system end, and replace it with a crossover cable connected to a laptop that's been ifconfig'ed to appear to be on the subnet the computer was on, and then launch the nmap from the laptop.
you know, I have always wondered why the hackers weren't smart enough to put a firewall on their backdoor ports so that they could only be accessed (or detected) from specific addresses owned by the hackers. (I.e. so we couldn't find them in a scan). Then I realised, for all we know, they already are :-( However with the degree of campus, corporate and home firewalling nowadays, it's no longer productive for backdoors to be implemented using call-in ports. That's why they all connect to IRC C&C servers and take commands on the return channel. It's also why botted systems are relatively easy to detect. Once they get wise to that and start using some popular and legitimate web site for their C&C, over SSL, I think it'll be game over for the good guys. The balance of technology is always in favour of the bad guys, as long as we don't get draconian about privacy. And if we ever do, we've still lost, because the bad guys will be us. G
Current thread:
- Re: Rootkit discovery tools, (continued)
- Re: Rootkit discovery tools Caroline Couture (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools David Boyer (Jun 27)
- Re: Rootkit discovery tools James H Moore (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Mike Wiseman (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Graham Toal (Jun 28)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)
- Re: Rootkit discovery tools Jeni Li (Jun 28)