[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: other mysterious port things

Cesar writes:

Hi !
  I'm a disquette with this utilities clean.
  #mount /dev/fd0 /floppy
  #cd /floppy
#./netstat -antp

Don't forget to mount "-ro" or write protect the floppy. :-) On linux, AFASIK, "netstat" relies on /dev/net and friends not to lie to it. This is a poor assumption on a comprimised machine, as it is possible to intercept the reading of these devices in the kernel to filter results. This can be done with a LKM (which are a common feature of root kits), or perhaps by leveraging flaws in existing system calls (e.g. the old BSD mmap() bug that let you make kernel physical memory writable could be used to effect this, I suppose). For a practical example of how this can work in the wild, please check out the "knark" or "rial" root kit. Both use an LKM, BTW. Even having a safe, staticly linked "netstat" on floppy won't save you here. Once again, successful detection of a compromise is a multi-layered problem, and no one tool is a silver bullet. Ken Seefried, CISSP

Reply to: