Full Disclosure mailing list archives
Re: Rootkit
From: Danny Pansters <danny () ricin com>
Date: Sat, 27 Sep 2003 01:41:44 +0200
On Saturday 27 September 2003 00:26, David Hane wrote:
I already run my own database of MD5 checksums on all system files. That's how I know what files were effected. What I would like is maybe a listing of the files installed and what directories they went into for the various rootkits.
Guess it's too late, but try something like integrit next time. Still timestamp should help.
Obviously the names of the files that were installed are meaningless. So all I would have to work with would maybe be files sizes, signature text in the files (as you mentioned), and the directories into which they were installed. Unless someone can suggest something else. Like maybe a MD5 database of known "hacked" programs.
Timestamp. You must be able to get the time at which things occured. If it might have been messed with look at inode numbers as well. An MD5 database of "hacked" programs would be like a hash db on existing insect species where about one quarter of them are known and mutations abund.
Actually that's not a bad idea, in theory. How feasible would a searchable database of the most common hacked files be? For instance if a hacked version of ps is routinely installed by several rootkits could we then search that database and compare the MD5 signatures to list other files routinely used in conjunction with that app? I know it would be far from accurate but could it be useful?
Bad idea. Exploits will easily vary. It's like anti virus databases, always too late anyway. Worry about what's on your plate now first. I also think that if you think you have "various rootkits" you should backup everything (the evidence) and reinstall the whole lot. Then look at the evidence. Compare it against older backups. Something will pop up. Also strings and hexdump are helpful. HTH, just IMHO Dan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Rootkit David Hane (Sep 26)
- RE: Rootkit Conrado Zelaya (Sep 26)
- Re: Rootkit B3r3n (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Danny Pansters (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Bruce Ediger (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 26)
- Re: Rootkit Soren Jacobsen (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 27)
- RE: Rootkit Marcus H. Sachs (Sep 26)
- RE: Rootkit Poof (Sep 26)
- <Possible follow-ups>
- Re: Rootkit kernelclue (Sep 26)
- Rootkit David Hane (Sep 26)
(Thread continues...)