Security Incidents mailing list archives
Re: fun with posiden rootkit
From: Dave Dittrich <dittrich () cac washington edu>
Date: Mon, 25 Mar 2002 23:36:33 -0800 (PST)
On Mon, 25 Mar 2002, Skip Carter wrote:
- sometimes checking failed script-kiddies can be entertaining if time permits to look around for any funny stuffI had one incident that I investigated for a client recently. It was the usual: gain entry, install rootkit, install password scanner, etc. Except he did it in the wrong order, so that his password scanner caught his own connection back to his rootkit archive; so when I started my investigation I was able to log in to his archive and pick up his entire stash of tools.
I can't tell you how many times I've seen that over the years, e.g.: http://staff.washington.edu/dittrich/talks/security/case1/hacksniff.txt This kind of thing is, according to an Assistant US Attorney, "a slam dunk" violation of the Wiretap statute. With a little correlation of events via timestamps on files and other logins in the sniffer file, you can show a direct link between an intruder, the sniffer, and the "fruits of crime" (the sniffed passwords). If you can get the owner of the site to save a copy for law enforcement (rather than popping in yourself and copying files), there is corroborating evidence from an independant source. Then again, I've also seen the following: /* * dontsniff2.c by XXXXXXXX (today: 13 Nov 1998) * Regards to both XXXXXX and XXXXXXX ;) * Paper: * T.Ptacek, T.Newsham "Insertion, Evasion, and Denial of Service: Eluding * Network Intrusion Detection," Secure Networks, Inc. January, 1998 * Greetings to XXX@!#$ * Description: * this daemon add little protection from some kind of sniffers and IDS * How it work (in default mode: -fffdFD): * 1. send fake data packets with random garbage on every ACK packet - * - sniffer log fake data. * 2. send fake FIN packets on every SYN packet - * - sniffer "think" connection closed and stop logging. * "fake" mean - it good packets for sniffer but really ignored by most * of computer systems in internet cause they have invalid sequence number. */ Moral of the story: don't expect to be lucky all the time, and trust packets found on the network, not files found on a compromised host. -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- fun with posiden rootkit Olaf Schreck (Mar 25)
- Re: fun with posiden rootkit Alvin Oga (Mar 25)
- Re: fun with posiden rootkit Skip Carter (Mar 25)
- Re: fun with posiden rootkit Dave Dittrich (Mar 26)
- Re: fun with posiden rootkit Skip Carter (Mar 25)
- Re: fun with posiden rootkit Alvin Oga (Mar 25)