Thats right so far. But if an attacker realize this copy of the system-files he may circumvent this protection - e.g. piping the /dev/fd0 device to somewhere else - and me thinking everything its still fine. Michael Appeldorn
I may be reinventing the wheel here but wouldn't it be possible to put 'rootkit vulnerable' binaries on a floppy and leave it in the drive with the tab set to read only?
Then, it should be possible to use uncompromised binaries like ps if you're suspicious of those on your hard drive.
I manage a couple of 'hobby servers' in different countries so this would be particularly useful as I cannot always be present to insert a floppy.
- Mike
On Fri, Nov 09, 2001 at 10:22:07AM +0100, Michael Appeldorn wrote:
Hi list - lets assume out nightmare :=(_
Last night i saw some forensic analysis by honeynet.org.
Often - AWK - after gaining access to remote host a rootkit will be installed (swaping bins like netstat or ps) to hide processes and connections i.g.
I did this short lines
cd /proc
for i in $(ls | grep -E ^[0-9]) ; do cat $i/status | xargs | awk '{printf $4 $7 " " $2 " " $5}'; echo ;done
to view all processes in a poor way.
<>
Is this a possible way to circumvent the rootkits process hiding or will such kits influence the proc-fs as well.
And - if it works - are lists for connections, users and so on post rootkitting trusty too ?
Michael Appeldorn :O)_