Re: DHCP - rootkit

To: Dale Amon <amon@vnl.com>
Cc: debian-security@lists.debian.org
Subject: Re: DHCP - rootkit
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Tue, 29 Oct 2002 15:28:20 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1021029152039.1988A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20021029230023.GD5465@vnl.com>

hi ya dale

> 
> Rootkits are *INSTALLED* after a successful root 
> exploit.

maybe i missing something here ... that i been wonderng about
for years..

if they exploited a root vulnerability and got in...
why modify silly binaries like ps, top, ls, find, etf ??

that gives themself away as having modified the system

if they quietly do what they do, like run irc chat
or spam bomb just a few a day ... nobody might notice ???
( until sleepy admin watch the logs or see whats running
	- erasing the logs is a dead give away you got a problem
	( that something happened 

there's more alarms going off when things are modified
on a normal box ??

if only irc ran ... it might be overlooked till the load
on the box is too high ??
	- changing/trojaning all the binaries will
	definitely give yourself away

- either way... to trojan the binaries or not .. etiher way
  the sleepy admin wont notice...

- sharp ones will catch it within a few minutes/hours...
  or not happen (not exploited) at all ..


-- guess i would do a "minimum disturbance" if i got into 
   somebodys box and wanted to use their resources
	as opposed to tripping over "everything"

c ya
alvin

Reply to:

Follow-Ups:
- Re: DHCP - rootkit
  - From: Dale Amon <amon@vnl.com>

References:
- Re: DHCP - rootkit
  - From: Dale Amon <amon@vnl.com>

Prev by Date: Re: DHCP - rootkit
Next by Date: Re: DHCP - rootkit
Previous by thread: Re: DHCP - rootkit
Next by thread: Re: DHCP - rootkit
Index(es):
- Date
- Thread