lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031222162802.G49550-100000@vapid.ath.cx>
From: lwc at vapid.ath.cx (Larry W. Cashdollar)
Subject: Removing ShKit Root Kit


On Mon, 22 Dec 2003, Brian Eckman wrote:

> Schmehl, Paul L wrote:

> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> considered relatively safe. If the attacker can later find a way to
> chmod it and then execute it with the privliges needed to make it
> harmful, then I imagine that they could find other ways of compromising
> your machine as well.
>

The attacker could have also added a new user to your oracle database, so
I see where Paul is coming from.   Restoring actual data from a known good
copy is a better idea. I suspect that most people keep a backup copy
(raw dd) of a compromised system for the feds and a copy for themselves to
explore.  Other than that nothing can be trusted from the compromised
system.

-- Larry C$

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ