Re: DHCP - rootkit

[Dale Amon <amon@vnl.com>]

On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote:
> if they exploited a root vulnerability and got in...
> why modify silly binaries like ps, top, ls, find, etf ??
> 
> that gives themself away as having modified the system

No it doesn't. It makes them and everything they do vanish
into thin air as if they weren't there. They can log into
you computer, create files, run a Warez and you can sit on
your remote terminal blithely unaware because nothing you
do will show you anything they are doing.

Their files don't show in your ls
Their disk space usage doesn't show in your df
Their processes don't show on your ps

The attack script, if it is a good one, will not only
crack root, it will install the root kit and clean up
signs of the entry.

They're actions are only visible for a matter of 
minutes or more likely seconds.

A successful attack can be detected by a good admin,
often by anomalous traffic on the LAN, or by comparison
with tripwire files (with the comparison done off line
by booting from a CD to run the checks against a
tripwire db that was also off line).

It is also the case that a lot of exploit scripts are
much less than perfect and will leave some evidence.

I have a few other forensic tricks for checking but I 
won't share them with strangers :-)

-- 
------------------------------------------------------
    Nuke bin Laden:           Dale Amon, CEO/MD
  improve the global          Islandone Society
     gene pool.               www.islandone.org
------------------------------------------------------