The qualification of thoose guy's that install rootkits seems not to be the question, but the effect. An installed root-kit by the way, says nothing about the skills off the attacker. If he gained access to your box by an self explored and exploited buffer-overrun he is'nt a script-kid -> please choose : hacker,[white|grey|black]hat. If they prevent to see their activities be installing mechanism like rootkits its harder too seek'em. So my question was initially: Show this really all processes even if a rootkit is installed cd /proc for i in $(ls | grep -E ^[0-9]) ; do cat $i/status | xargs | awk '{printf $4 $7 " " $2 " " $5}'; echo ;done
Hmmm...that's true.
How hard would that be to do? Are these rootkits being used by the kind of people who would do that or are they closer to the kiddie end of the scale?
cheers,
Mike
On Fri, Nov 09, 2001 at 02:54:46PM +0100, Michael Appeldorn wrote:
Thats right so far. But if an attacker realize this copy of the system-files he may circumvent this protection - e.g. piping the /dev/fd0 device to somewhere else - and me thinking everything its still fine.
Michael Appeldorn
I may be reinventing the wheel here but wouldn't it be possible to put 'rootkit vulnerable' binaries on a floppy and leave it in the drive with the tab set to read only?
Then, it should be possible to use uncompromised binaries like ps if you're suspicious of those on your hard drive.
I manage a couple of 'hobby servers' in different countries so this would be particularly useful as I cannot always be present to insert a floppy.
- Mike
On Fri, Nov 09, 2001 at 10:22:07AM +0100, Michael Appeldorn wrote:
Hi list - lets assume out nightmare :=(_
Last night i saw some forensic analysis by honeynet.org.
Often - AWK - after gaining access to remote host a rootkit will be installed (swaping bins like netstat or ps) to hide processes and connections i.g.
I did this short lines
cd /proc
for i in $(ls | grep -E ^[0-9]) ; do cat $i/status | xargs | awk '{printf $4 $7 " " $2 " " $5}'; echo ;done
to view all processes in a poor way.
<>
Is this a possible way to circumvent the rootkits process hiding or will such kits influence the proc-fs as well.
And - if it works - are lists for connections, users and so on post rootkitting trusty too ?
Michael Appeldorn :O)_