Full Disclosure mailing list archives
Re: Removing ShKit Root Kit
From: Gino Thomas <g.thomas () nux-acid org>
Date: Mon, 22 Dec 2003 21:02:42 +0100
Brian Eckman <eckman () umn edu> wrote:
Hmmm. Well, if the execute bit isn't set, then I'd assume it can be considered relatively safe. If the attacker can later find a way to chmod it and then execute it with the privliges needed to make it harmful, then I imagine that they could find other ways of compromising your machine as well. For Windows, if it's a backdoor that is named something.txt, well, again, the attacker would have to find a way to rename that file and execute it with appropriate permissions. Again, I imagine that if they can do that, that they could find other ways of compromising your machine as well.
The backdoor could for example be a nasty makro trojan placed in a .doc that would later (most likely) executed by an user and so do the dirty work without remote interaction. Nothing to rename or execute. I agree with Paul that data from a compromised system can't be trusted anymore, regardless what it is, it has to be checked for integrity or wiped (at least in a secure environment). regards -gt -- Gino Thomas | mailto: g.thomas () nux-acid org | http://nux-acid.org GPG: E6EA9145 | 4578 F871 893E 1FEC 31FC 5B5E 8A46 4CC8 E6EA 9145 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Removing ShKit Root Kit Chris (Dec 21)
- Re: Removing ShKit Root Kit Cael Abal (Dec 21)
- Re: Removing ShKit Root Kit Alexander Schreiber (Dec 21)
- Re: Removing ShKit Root Kit Chris (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
- <Possible follow-ups>
- Re: Removing ShKit Root Kit nicholas (Dec 22)
- Re: Removing ShKit Root Kit Wesley D Craig (Dec 22)
- re: Removing ShKit Root Kit nicholas (Dec 22)
- RE: Removing ShKit Root Kit Schmehl, Paul L (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Message not available
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
- Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)