[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.0.22.2.20030926235905.01dd5dc8@pop.argosnet.com>
From: B3r3n at argosnet.com (B3r3n)
Subject: Rootkit
Hi Dave,
Just my 2 cents advice.
>Can anyone recommend a good scanner or info site where I can compare some of
>the binaries I saved (the machine has been wiped)?
The first thing I do to scan filesystems suspected of being intruded is to
launch against them (from remote or booting on CD, ...) an antivirus.
I found these were detecting many rootkit signatures.
This simple action could help stepping forward, but is definitely not enough.
If you saved binaries, you could also simply do a 'strings' on them and
check the "text" displayed.
If you see some infos (possibly the password to get in) that are definitely
not matching with the binary's mission, that's suspicious.
What is the operating system you suspect to be intruded?
Some OS propose to public a MD5 signatures databases of all official
versions of their binaries.
Could also be useful to compare with these databases
Hope this will help.
Brgrds
Powered by blists - more mailing lists