Security Incidents mailing list archives
Re: IIS web server hacked..any tips?
From: Valdis.Kletnieks () vt edu
Date: Fri, 17 Dec 2004 13:32:59 -0500
On Thu, 16 Dec 2004 17:47:51 PST, David LeBlanc said:
So you'd set the switch, boot the system, wait until you want to snapshot it, and then use the debugger to look at anything in memory you like. Windbg will do this, and I think SoftIce does, too. The owned system is defenseless against an external kernel debugger.
Well.. that's not *really* a totally external debugger. For starters, you're assuming the system is cooperating enough to *start* the debugger, and to keep talking to it. There's no good way to *force* (on the *hardware* level) the system to cooperate across that serial cable. A *sufficiently* 0wned box can simply ignore that port - it's just that no rootkits so far have bothered to protect against it. (Think about it - if it's a boot.ini flag, all I have to do is add a rootkit part that says "ignore that boot.ini flag" and the debugger is useless....) The ieee1394/iPod trick is different in that the external 1394 device literally *CAN* force itself into the system on the hardware level and do DMA to suck out all the RAM contents, totally without any cooperation from the system.
Attachment:
_bin
Description:
Current thread:
- Re: IIS web server hacked..any tips?, (continued)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Dave Dodge (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? K.M. Jeary (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Ron (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- RE: IIS web server hacked..any tips? Gary Nichols (Dec 15)
- Re: IIS web server hacked..any tips? Roger McLaren (Dec 15)
- RE: IIS web server hacked..any tips? Adrian Marsden (Dec 16)
- RE: IIS web server hacked..any tips? Richard . Grant (Dec 16)
- RE: IIS web server hacked..any tips? David LeBlanc (Dec 17)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 17)