Articles on rootkits, etc in Linux Magazin+#
Hi! The current (german) Linux Magazin has quite interesting articles on detecting network scans, rootkits, incident response and so on. I liked the article on searching for traces (in german: "Spurensuche"), which shows how to use netcat to save the output of commands to another machine (called the "forensic computer"). The introduction to root kits is also quite good. It shows how to make use of the /proc hierarchy to find hidden files and provides some links, e.g.: http://security.alldas.de/analysis/?aid=2 (analysis of the linux rootkit yoyo.tar.gz), http://www.theorygroup.com/Theory/rootkits.html (Rootkits - How Intruders Hide), and, of course: http://project.honeynet.org/papers/ (Know Your Enemy). Of course, the articles do not provide in-depth discussions of these subjects. But they are quite informative and might be a good first source of information. Regards, Albert Brandl
The introduction to root kits is also quite good. It shows how to make use of the /proc hierarchy to find hidden files and provides some links, e.g.:
Hopefully with the comment, that injected kernel modules or a modified kernel may prevent this tactic. :O)_ Michael Appeldorn
On Mon, Feb 11, 2002 at 10:53:19AM +0100, Michael Appeldorn wrote:
The introduction to root kits is also quite good. It shows how to make use of the /proc hierarchy to find hidden files and provides some links, e.g.:
Hopefully with the comment, that injected kernel modules or a modified kernel may prevent this tactic.
Citing Boris Schauerte in "Feind im Dunkeln", Linux Magazin 03/2002: "Das wissen zwar auch die Programmierer der Cracker-Tools und manche Rootkits verbergen Informationen in "/proc", dennoch lohnt sich ein Blick in dieses Verzeichnis fast immer." Which means: Some rootkits hide informations in /proc, but nevertheless it almost always pays off to look into this directory. He does not explain the means by which the informations are hidden (i.e. LKMs), but the information is there ;-) Albert Brandl
participants (2)
-
Albert Brandl
-
Michael Appeldorn