Re: Linux - Indicators of compromise

[Leutnant Steiner <chk.mailbox () gmail com>]

http://www.rootkit.nl/projects/rootkit_hunter.html/

2012/7/18 Григорий Братислава <musntlive () gmail com>

> On Wed, Jul 18, 2012 at 8:30 AM, alex <fd () daloo de> wrote:
> > Source MAC faking would result in switchport shutdown in some
> environments.
> > Further you cannot communicate with outside world using broadcasts.
> > ICMP payloads is quite common and hard to detect.
> >
> > Me study CISSP, too. Already CCNA Security. CCNA not worth the money.
> Better get CISA/CISM.
> >
>
> You miss point. If I sent data to broadcast, original poster is say:
> "I will know who you are via MAC address" to which I say: "You is need
> to go back to Cisco bootcamp" Everyone is receive broadcast, no way
> for him to detect who I am since I am is not alone in receiving the
> broadcast. Needle in is haystack.
>
> Second, ICMP tunneling, GRE tunneling is too much trouble. Advanced
> Persistent Threats as defined by (is now give North Korean title to
> him) Super Grand Master of the Internet Universe Richard Bejtlich as
> advanced and is persistent. But is also stupid and lazy. Will not
> waste time on this is vector. Will use SSL and HTTP to is stay under
> radar.
>
> Attacker >>> Own is your data >>> post data in $WBEDIR >>> visit
> $WEBDIR using proxy [small packets]
>
> Is how else can attacker download 867 terabytes of data
> (
> http://www.eddupdate.com/2012/02/cyberthieves-stole-867-terabytes-in-2011.html
> )?
> You believe attackers is using FTP, ICMP, GRE tunnels? No. Too noisy
> is this. Better to visit website like everyone else use proxy of
> another country, this is country take blame.
>
> MusntLive >>> use is never use 213.24.76.77 address >>> use proxy
> 210.75.193.49 >>> download data \
> Supreme Grand Master of Internet Universe >>> analyze >>> see proxy
> > > > chant APT APT APT >>> See I told you is China \
> Fox News >>> report on Chinese threat \
> MusntLive >>> facepalm at report and go back is drink Stoli
>
> CISA/CISM is have nothing on InfoSecInstitute!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
Disclaimer: This communication may contain confidential, proprietary or
legally privileged information. It is intended only for the person(s) to
whom it is addressed. If you are not an intended recipient, you may not
use, read, retransmit, disseminate or take any action in reliance upon it.
Please notify the sender that you have received it in error and immediately
delete the entire communication, including any attachments. I do not
encrypt and cannot ensure the confidentiality or integrity of external
e-mail communications and, therefore, I cannot be responsible for any
unauthorized access, disclosure, use or tampering that may occur during
transmission. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the
contents of this information is strictly prohibited. I accept no liability
for the content of this email, or for the consequences of any actions taken
on the basis of the information provided.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/