Full Disclosure mailing list archives

RE: Rootkit

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 26 Sep 2003 17:44:50 -0500

-----Original Message-----
From: David Hane [mailto:dlhane () sbcglobal net] 
Sent: Friday, September 26, 2003 3:57 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Rootkit

Hi all,

I recently had a machine get hacked before I could finish 
installing all the 
damn remote-root exploit patches that have been released in 
the last week. I've done the forensics and I know how they 
got in and what they did but I 
would like to know what rootkit they used.

Can anyone recommend a good scanner or info site where I can 
compare some of 
the binaries I saved (the machine has been wiped)?


This is a great tool for many things, not just forensics.  Everyone who
has to do investigations or restorations should have a current copy.
http://fire.dmzs.com/

You might also want to get chkrootkit.
http://www.chkrootkit.org/ (This sometimes doesn't respond.)
http://www.pangeia.com.br/download.htm (You can also get it here.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Rootkit, (continued)
- Re: Rootkit Bruce Ediger (Sep 26)
  - Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 26)
  - Re: Rootkit Soren Jacobsen (Sep 26)
  - Re: Rootkit Paul Schmehl (Sep 26)
    - Re: Rootkit Nate Hill (Sep 27)
- RE: Rootkit Marcus H. Sachs (Sep 26)
  - RE: Rootkit Poof (Sep 26)
- Re: Rootkit kernelclue (Sep 26)
- Rootkit David Hane (Sep 26)
- RE: Rootkit Schmehl, Paul L (Sep 26)