Re: Rootkit

[Danny Pansters <danny () ricin com>]

On Saturday 27 September 2003 00:26, David Hane wrote:
> I already run my own database of MD5 checksums on all system files.
> That's how I know what files were effected. What I would like is
> maybe a listing of the files installed and what directories they went
> into for the various rootkits.

Guess it's too late, but try something like integrit next time. Still 
timestamp should help.

> Obviously the names of the files that were installed are meaningless.
> So all I would have to work with would maybe be files sizes,
> signature text in the files (as you mentioned), and the directories
> into which they were installed. Unless someone can suggest something
> else. Like maybe a MD5 database of known "hacked" programs.

Timestamp. You must be able to get the time at which things occured. If 
it might have been messed with look at inode numbers as well. 

An MD5 database of "hacked" programs would be like a hash db on existing 
insect species where about one quarter of them are known and mutations 
abund.

> Actually that's not a bad idea, in theory. How feasible would a
> searchable database of the most common hacked files be? For instance
> if a hacked version of ps is routinely installed by several rootkits
> could we then search that database and compare the MD5 signatures to
> list other files routinely used in conjunction with that app? I know
> it would be far from accurate but could it be useful?

Bad idea. Exploits will easily vary. It's like anti virus databases, 
always too late anyway. Worry about what's on your plate now first. 

I also think that if you think you have "various rootkits" you should 
backup everything (the evidence) and reinstall the whole lot. Then look 
at the evidence. Compare it against older backups. Something will pop 
up.

Also strings and hexdump are helpful.


HTH, just IMHO

Dan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html