Re: DHCP - rootkit
hi ya dale
if anybody modifies the typical binaries..
i'll know within the hour.. hourly/randomly system checks
or instaneously if i happen to be reading emails
at the time ... they are attacking...
i say modifying files is a give away .. that says
"come find me" .... which is trivial since its modified
binaries
see below
On Wed, 30 Oct 2002, Dale Amon wrote:
> On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote:
> > if they exploited a root vulnerability and got in...
> > why modify silly binaries like ps, top, ls, find, etf ??
> >
> > that gives themself away as having modified the system
>
> No it doesn't. It makes them and everything they do vanish
> into thin air as if they weren't there. They can log into
> you computer, create files, run a Warez and you can sit on
> your remote terminal blithely unaware because nothing you
> do will show you anything they are doing.
>
> Their files don't show in your ls
> Their disk space usage doesn't show in your df
> Their processes don't show on your ps
thats dumb if you use the hacked binaries to check for them
c ya
alvin
- most of the machines now days... even if they did get into
my customers boxes.. they might not be able to run the
programs ... just depends on which rootkit
( usually i get a copy of their attempts to get in
( once a year or so ..but it fails to run ..
- thats when it gets fun
Reply to: