Re: Removing ShKit Root Kit

["Larry W. Cashdollar" <lwc () vapid ath cx>]

On Mon, 22 Dec 2003, Brian Eckman wrote:

> Schmehl, Paul L wrote:

> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> considered relatively safe. If the attacker can later find a way to
> chmod it and then execute it with the privliges needed to make it
> harmful, then I imagine that they could find other ways of compromising
> your machine as well.

The attacker could have also added a new user to your oracle database, so
I see where Paul is coming from.   Restoring actual data from a known good
copy is a better idea. I suspect that most people keep a backup copy
(raw dd) of a compromised system for the feds and a copy for themselves to
explore.  Other than that nothing can be trusted from the compromised
system.

-- Larry C$

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html