lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200309261526.14216.dlhane@sbcglobal.net>
From: dlhane at sbcglobal.net (David Hane)
Subject: Rootkit

I already run my own database of MD5 checksums on all system files. That's how 
I know what files were effected. What I would like is maybe a listing of the 
files installed and what directories they went into for the various rootkits.

Obviously the names of the files that were installed are meaningless. So all I 
would have to work with would maybe be files sizes, signature text in the 
files (as you mentioned), and the directories into which they were installed. 
Unless someone can suggest something else. Like maybe a MD5 database of known 
"hacked" programs.

Actually that's not a bad idea, in theory. How feasible would a searchable 
database of the most common hacked files be? For instance if a hacked version 
of ps is routinely installed by several rootkits could we then search that 
database and compare the MD5 signatures to list other files routinely used in 
conjunction with that app? I know it would be far from accurate but could it 
be useful?

dave


On Friday 26 September 2003 15:04, B3r3n wrote:
> Hi Dave,
>
> Just my 2 cents advice.
>
> >Can anyone recommend a good scanner or info site where I can compare some
> > of the binaries I saved (the machine has been wiped)?
>
> The first thing I do to scan filesystems suspected of being intruded is to
> launch against them (from remote or booting on CD, ...) an antivirus.
> I found these were detecting many rootkit signatures.
> This simple action could help stepping forward, but is definitely not
> enough.
>
> If you saved binaries, you could also simply do a 'strings' on them and
> check the "text" displayed.
> If you see some infos (possibly the password to get in) that are definitely
> not matching with the binary's mission, that's suspicious.
>
> What is the operating system you suspect to be intruded?
> Some OS propose to public a MD5 signatures databases of all official
> versions of their binaries.
> Could also be useful to compare with these databases
>
> Hope this will help.
>
> Brgrds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ