lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: nathan.bates at wpni.com (Nathan Bates) Subject: Removing ShKit Root Kit Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 04:24:08PM -0600) > OK, so how does the attacker get the ADS to run? If you open > something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an > executable file. It's ignored. A quick google shows: http://patriot.net/~carvdawg/docs/dark_side.html If they're able to create the datastream in the first place, you'd think they'd be able to get it to run or add it into the registry somewhere.. I'm not completely certain, but you shouldn't be able to see them in the task list either. > Remember, the machine was formatted and reinstalled from clean media. > However that ADS was called is now long gone... If you're restoring from backup you may very well restore ADSs as well. In the context of a fresh install and rebuild, this would have no effect. Unless of course you don't prevent the very vulnerability that allowed the attacker access in the first place. Just my 2 cents, Nathan
Powered by blists - more mailing lists