Full Disclosure mailing list archives
Re: Rootkit
From: B3r3n <B3r3n () argosnet com>
Date: Sat, 27 Sep 2003 00:04:13 +0200
Hi Dave, Just my 2 cents advice.
Can anyone recommend a good scanner or info site where I can compare some of the binaries I saved (the machine has been wiped)?
The first thing I do to scan filesystems suspected of being intruded is to launch against them (from remote or booting on CD, ...) an antivirus.
I found these were detecting many rootkit signatures. This simple action could help stepping forward, but is definitely not enough.If you saved binaries, you could also simply do a 'strings' on them and check the "text" displayed. If you see some infos (possibly the password to get in) that are definitely not matching with the binary's mission, that's suspicious.
What is the operating system you suspect to be intruded?Some OS propose to public a MD5 signatures databases of all official versions of their binaries.
Could also be useful to compare with these databases Hope this will help. Brgrds _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Rootkit David Hane (Sep 26)
- RE: Rootkit Conrado Zelaya (Sep 26)
- Re: Rootkit B3r3n (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Danny Pansters (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Bruce Ediger (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 26)
- Re: Rootkit Soren Jacobsen (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 27)
- RE: Rootkit Marcus H. Sachs (Sep 26)
- RE: Rootkit Poof (Sep 26)
(Thread continues...)