lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309270141.44046.danny@ricin.com>
From: danny at ricin.com (Danny Pansters)
Subject: Rootkit

On Saturday 27 September 2003 00:26, David Hane wrote:
> I already run my own database of MD5 checksums on all system files.
> That's how I know what files were effected. What I would like is
> maybe a listing of the files installed and what directories they went
> into for the various rootkits.

Guess it's too late, but try something like integrit next time. Still 
timestamp should help.

> Obviously the names of the files that were installed are meaningless.
> So all I would have to work with would maybe be files sizes,
> signature text in the files (as you mentioned), and the directories
> into which they were installed. Unless someone can suggest something
> else. Like maybe a MD5 database of known "hacked" programs.

Timestamp. You must be able to get the time at which things occured. If 
it might have been messed with look at inode numbers as well. 

An MD5 database of "hacked" programs would be like a hash db on existing 
insect species where about one quarter of them are known and mutations 
abund.

> Actually that's not a bad idea, in theory. How feasible would a
> searchable database of the most common hacked files be? For instance
> if a hacked version of ps is routinely installed by several rootkits
> could we then search that database and compare the MD5 signatures to
> list other files routinely used in conjunction with that app? I know
> it would be far from accurate but could it be useful?

Bad idea. Exploits will easily vary. It's like anti virus databases, 
always too late anyway. Worry about what's on your plate now first. 

I also think that if you think you have "various rootkits" you should 
backup everything (the evidence) and reinstall the whole lot. Then look 
at the evidence. Compare it against older backups. Something will pop 
up.

Also strings and hexdump are helpful.


HTH, just IMHO

Dan


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ