Full Disclosure mailing list archives
Re: Rootkit
From: David Hane <dlhane () sbcglobal net>
Date: Fri, 26 Sep 2003 15:26:14 -0700
I already run my own database of MD5 checksums on all system files. That's how I know what files were effected. What I would like is maybe a listing of the files installed and what directories they went into for the various rootkits. Obviously the names of the files that were installed are meaningless. So all I would have to work with would maybe be files sizes, signature text in the files (as you mentioned), and the directories into which they were installed. Unless someone can suggest something else. Like maybe a MD5 database of known "hacked" programs. Actually that's not a bad idea, in theory. How feasible would a searchable database of the most common hacked files be? For instance if a hacked version of ps is routinely installed by several rootkits could we then search that database and compare the MD5 signatures to list other files routinely used in conjunction with that app? I know it would be far from accurate but could it be useful? dave On Friday 26 September 2003 15:04, B3r3n wrote:
Hi Dave, Just my 2 cents advice.Can anyone recommend a good scanner or info site where I can compare some of the binaries I saved (the machine has been wiped)?The first thing I do to scan filesystems suspected of being intruded is to launch against them (from remote or booting on CD, ...) an antivirus. I found these were detecting many rootkit signatures. This simple action could help stepping forward, but is definitely not enough. If you saved binaries, you could also simply do a 'strings' on them and check the "text" displayed. If you see some infos (possibly the password to get in) that are definitely not matching with the binary's mission, that's suspicious. What is the operating system you suspect to be intruded? Some OS propose to public a MD5 signatures databases of all official versions of their binaries. Could also be useful to compare with these databases Hope this will help. Brgrds
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Rootkit David Hane (Sep 26)
- RE: Rootkit Conrado Zelaya (Sep 26)
- Re: Rootkit B3r3n (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Danny Pansters (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Bruce Ediger (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 26)
- Re: Rootkit Soren Jacobsen (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 27)
- RE: Rootkit Marcus H. Sachs (Sep 26)
- RE: Rootkit Poof (Sep 26)
- <Possible follow-ups>
- Re: Rootkit kernelclue (Sep 26)
(Thread continues...)