Full Disclosure mailing list archives
Re: Removing ShKit Root Kit
From: Cael Abal <lists () onryou com>
Date: Tue, 23 Dec 2003 10:07:35 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |>> OK, so how does the attacker get the ADS to run? If you open |>> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as |>> an executable file. It's ignored. | | The easy answer is start a command prompt and type | | start something.txt:trouble.exe | | it does not even have to be tagged .exe or .com or whatever. As an | exercise, copy notepad.exe to calc.exe:notepad and then launch a command | prompt and type "start calc.exe:notepad" You should be looking at | notepad. I no longer have a handy M$ system to verify the steps on so if | it does not work play with it for a few minutes. Although Jason is exactly right about ADS' under NTFS as covert data storage (in theory, even if his examples don't quite work) it's all a bit off topic -- the server in question was a RH 8.0 box and besides, ADS' are trivial to find if you're looking for them and aren't likely to see much use in the wild. All this discussion about particulars is beside the point -- the thrust of the matter is that attacker/defender roles have been reversed, leaving the good guy in an untenable position. Do you really think it's wise to bet you're smarter or more resourceful than a person who has (already) rooted the box once? take care, Cael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/6Fo3R2vQ2HfQHfsRAq87AJ93cpOZgTVTMGqFvK9uzQm+3B900wCgmQ3J Hnjkp79WpgfQj/Y4oePcZQk= =jrAR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Removing ShKit Root Kit, (continued)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
- Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
- Re: Removing ShKit Root Kit Paul J. Morris (Dec 22)
- RE: Removing ShKit Root Kit Nick FitzGerald (Dec 22)
- Re: Removing ShKit Root Kit Alexander Schreiber (Dec 22)
- Re: Removing ShKit Root Kit Jason (Dec 22)
- Re: Removing ShKit Root Kit Cael Abal (Dec 23)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 23)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 23)
- Re: Removing ShKit Root Kit Jason (Dec 23)