lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FE85A37.4000202@onryou.com>
From: lists at onryou.com (Cael Abal)
Subject: Removing ShKit Root Kit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

|>> OK, so how does the attacker get the ADS to run? If you open
|>> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as
|>> an executable file. It's ignored.
|
| The easy answer is start a command prompt and type
|
| start something.txt:trouble.exe
|
| it does not even have to be tagged .exe or .com or whatever. As an
| exercise, copy notepad.exe to calc.exe:notepad and then launch a command
| prompt and type "start calc.exe:notepad" You should be looking at
| notepad. I no longer have a handy M$ system to verify the steps on so if
| it does not work play with it for a few minutes.

Although Jason is exactly right about ADS' under NTFS as covert data
storage (in theory, even if his examples don't quite work) it's all a
bit off topic -- the server in question was a RH 8.0 box and besides,
ADS' are trivial to find if you're looking for them and aren't likely to
see much use in the wild.

All this discussion about particulars is beside the point -- the thrust
of the matter is that attacker/defender roles have been reversed,
leaving the good guy in an untenable position.  Do you really think it's
wise to bet you're smarter or more resourceful than a person who has
(already) rooted the box once?

take care,

Cael



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQE/6Fo3R2vQ2HfQHfsRAq87AJ93cpOZgTVTMGqFvK9uzQm+3B900wCgmQ3J
Hnjkp79WpgfQj/Y4oePcZQk=
=jrAR
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ