RE: NKADM rootkit - Something new?

["Dave Paris" <dparis () w3works com>]

the Operator live CD (based of Knoppix) is an outstanding variation on this
theme.

http://www.ussysadmin.com/operator/

Kind Regards,
-dsp

> -----Original Message-----
> From: InfoSec () seba com [mailto:InfoSec () seba com]
> Sent: Thursday, May 27, 2004 3:06 PM
> To: Paul Schmehl
> Cc: incidents () securityfocus com
> Subject: Re: NKADM rootkit - Something new?
>
>
> Instead of Knoppix you may want to look at "Knoppix Security Tools Disto"
> at
> http://www.knoppix-std.org
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> This message and any files transmitted with it are
> proprietary and confidential.  They are intended solely
> for the use of the individual or entity to whom they are
> addressed. If the reader of this message is not the
> intended recipient, please notify the sender immediately
> and delete this message.  Distribution or copying of this
> message is prohibited.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
>
> Paul Schmehl <pauls () utdallas edu>
> 05/26/2004 06:50 PM
>
>         To:     <incidents () securityfocus com>
>         cc:
>         Subject:        Re: NKADM rootkit - Something new?
>
>
> Since I posted my response in this thread, I've gotten several requests
> for
> my "tool list".  There's really nothing magical about it.
>
> Foundstone has a number of useful tools - Forensic Toolkit (good for
> examing files), Vision (shows open TCP and UDP ports and what
> process owns
>
> them), BinText (strings for Windows).
>
> Go to http://www.foundstone.com/ and click on Resources/Free Tools.
>
> Systinternals has a number of tools that you'll probably find in the
> hackers' toolkits as well, particularly pslist and pskill.  But look at
> their whole set.  ListDLLs is very useful, as is Handle, PMon, Process
> Explorer (find function is *very* helpful), PSTools (pskill, pslist,
> psservice and several others.)
>
> Go to http://www.sysinternals.com/ and click on Utilities.
> All these tools are very useful.  Particularly when you're dealing with a
> process or service that's been renamed and/or is elusive, something that
> can tie processes to PIDs and files with complete paths is a necessity.
>
> Another good tool is Active Ports, which will show you the process, PID,
> IP
> address (local and remote), ports (local and remote), state (listen,
> established) and path to the executable is extremely useful.
>
> Go to http://www.snapfiles.com/get/activeports.html
>
> More good tools may be found at http://www.ntutility.com/ (including
> Active
> Ports.)
>
> Of course Microsoft also has a useful set of utilities that few seem to
> know about.  Among them is sc,tskill, tasklist, eventquery.vbs, pstat.exe
> (part of the SDK).  These are handy in a pinch, but not as informative as
> the tools mentioned above.
>
> Another tool that I've found invaluable is F.I.R.E.  It's a bootable,
> networkable CD ROM running Linux.  I've been able to mount ntfs hard
> drives
> and scp the entire contents to a server, saving all the data from a
> crashed
> machine before formatting it and reinstalling the OS.  (Saved the
> President's laptop once, becoming a hero in the process.)  I've done
> forensics on a Win2K box, mounting the ntfs drives and making copies of
> all
> the logs and binaries I found without disturbing the contents of
> the drive
>
> or changing any of the file access information.
>
> Go to http://biatchux.dmzs.com/ to get a copy.
>
> The most recent update is dated 5/14/2003, so I don't know if it's being
> maintained or updated.
>
> You might want to consider Knoppix instead.  It comes with a boatload of
> extra stuff you won't use for forensics, but it's a good way to get
> familiar with unix, if you're not already.  It even has a working version
> of snort with ACID!
>
> Go to http:www.knoppix.net/ for more information.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/