Security Incidents mailing list archives
RE: NKADM rootkit - Something new?
From: "Dave Paris" <dparis () w3works com>
Date: Fri, 28 May 2004 06:19:10 -0400
the Operator live CD (based of Knoppix) is an outstanding variation on this theme. http://www.ussysadmin.com/operator/ Kind Regards, -dsp
-----Original Message----- From: InfoSec () seba com [mailto:InfoSec () seba com] Sent: Thursday, May 27, 2004 3:06 PM To: Paul Schmehl Cc: incidents () securityfocus com Subject: Re: NKADM rootkit - Something new? Instead of Knoppix you may want to look at "Knoppix Security Tools Disto" at http://www.knoppix-std.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This message and any files transmitted with it are proprietary and confidential. They are intended solely for the use of the individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, please notify the sender immediately and delete this message. Distribution or copying of this message is prohibited. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul Schmehl <pauls () utdallas edu> 05/26/2004 06:50 PM To: <incidents () securityfocus com> cc: Subject: Re: NKADM rootkit - Something new? Since I posted my response in this thread, I've gotten several requests for my "tool list". There's really nothing magical about it. Foundstone has a number of useful tools - Forensic Toolkit (good for examing files), Vision (shows open TCP and UDP ports and what process owns them), BinText (strings for Windows). Go to http://www.foundstone.com/ and click on Resources/Free Tools. Systinternals has a number of tools that you'll probably find in the hackers' toolkits as well, particularly pslist and pskill. But look at their whole set. ListDLLs is very useful, as is Handle, PMon, Process Explorer (find function is *very* helpful), PSTools (pskill, pslist, psservice and several others.) Go to http://www.sysinternals.com/ and click on Utilities. All these tools are very useful. Particularly when you're dealing with a process or service that's been renamed and/or is elusive, something that can tie processes to PIDs and files with complete paths is a necessity. Another good tool is Active Ports, which will show you the process, PID, IP address (local and remote), ports (local and remote), state (listen, established) and path to the executable is extremely useful. Go to http://www.snapfiles.com/get/activeports.html More good tools may be found at http://www.ntutility.com/ (including Active Ports.) Of course Microsoft also has a useful set of utilities that few seem to know about. Among them is sc,tskill, tasklist, eventquery.vbs, pstat.exe (part of the SDK). These are handy in a pinch, but not as informative as the tools mentioned above. Another tool that I've found invaluable is F.I.R.E. It's a bootable, networkable CD ROM running Linux. I've been able to mount ntfs hard drives and scp the entire contents to a server, saving all the data from a crashed machine before formatting it and reinstalling the OS. (Saved the President's laptop once, becoming a hero in the process.) I've done forensics on a Win2K box, mounting the ntfs drives and making copies of all the logs and binaries I found without disturbing the contents of the drive or changing any of the file access information. Go to http://biatchux.dmzs.com/ to get a copy. The most recent update is dated 5/14/2003, so I don't know if it's being maintained or updated. You might want to consider Knoppix instead. It comes with a boatload of extra stuff you won't use for forensics, but it's a good way to get familiar with unix, if you're not already. It even has a working version of snort with ACID! Go to http:www.knoppix.net/ for more information. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
Current thread:
- Re: NKADM rootkit - Something new?, (continued)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? InfoSec (May 27)
- RE: NKADM rootkit - Something new? Dave Paris (May 28)
- Re: NKADM rootkit - Something new? Tyrano Jones (May 27)