| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lists at onryou.com (Cael Abal) Subject: Removing ShKit Root Kit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |>> OK, so how does the attacker get the ADS to run? If you open |>> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as |>> an executable file. It's ignored. | | The easy answer is start a command prompt and type | | start something.txt:trouble.exe | | it does not even have to be tagged .exe or .com or whatever. As an | exercise, copy notepad.exe to calc.exe:notepad and then launch a command | prompt and type "start calc.exe:notepad" You should be looking at | notepad. I no longer have a handy M$ system to verify the steps on so if | it does not work play with it for a few minutes. Although Jason is exactly right about ADS' under NTFS as covert data storage (in theory, even if his examples don't quite work) it's all a bit off topic -- the server in question was a RH 8.0 box and besides, ADS' are trivial to find if you're looking for them and aren't likely to see much use in the wild. All this discussion about particulars is beside the point -- the thrust of the matter is that attacker/defender roles have been reversed, leaving the good guy in an untenable position. Do you really think it's wise to bet you're smarter or more resourceful than a person who has (already) rooted the box once? take care, Cael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/6Fo3R2vQ2HfQHfsRAq87AJ93cpOZgTVTMGqFvK9uzQm+3B900wCgmQ3J Hnjkp79WpgfQj/Y4oePcZQk= =jrAR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists