Re: DHCP - rootkit

To: "Noah L. Meyerhans" <noahm@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: DHCP - rootkit
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Tue, 29 Oct 2002 17:10:12 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1021029170158.2988A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20021030002225.GI31030@morgul.net>

hi ya noah

On Tue, 29 Oct 2002, Noah L. Meyerhans wrote:

> On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote:
> > i say modifying files is a give away .. that says 
> > "come find me" .... which is trivial since its modified
> > binaries
> 
> If they do it right, it's not a giveaway.  If they're quick, thorough,
> and accurate, they can certainly do it right.  On the other hand, I've

if they do get in... i wanna know within a second (wishfully) that they
got in ( an email is sent elsewhere of who/where they came from )
	- than if i am online ... i got um in the act ...

	i've done  "rm their_code.c" while they are in the machine ...
	makes um wonder.... :-)  and move files around on them .. :-)

am not as worried about the determined hacker/crackers that 
can modify binaries such that md5sum matches my tripewire db and
other security precautions (databases and baseline) of my servers
	- if they do come visiting ... we've got a serious problem
	and my clients aren't banks ( literally/figuratively )

i just want to make 90-95% of the attempts fail from the script kidies
and local wanna be admins that goes around changing the lan network,
config files, topology, passwds etc
	- 80-90% of all these attempts are users trying to bypass
	corp security policy

	- or just playing .. tripping all the alrms in the process
	of testing/learning what they can do

- and they very quickly find dhcp is disallowed :-)
	and they cant send email that dhcp doesnt work :-)
	and they cant randomly or add +1 to their current assigned ip#
	to get online

- always leave an easy guinne pig ( decoys ) for them to play with ...

c ya
alvin

> seen cracked Solaris boxes on which the rootkit installed a patched
> version of GNU's ls in place of the default ls.  That was a pretty
> obvious giveaway.
> 
> The thing with rootkits is that they're pretty target-specific.  They're
> not usually robust enough to be installed on a different Linux
> distribution or even a different version of the intended target distro.
> Rootkits aren't what I usually worry about; It's the determined,
> knowledgeable attackers that I don't like.  Fortunately there aren't as
> many of them to worry about.
>

Reply to:

References:
- Re: DHCP - rootkit
  - From: "Noah L. Meyerhans" <noahm@debian.org>

Prev by Date: Re: DHCP - rootkit
Next by Date: unsubscribe
Previous by thread: Re: DHCP - rootkit
Next by thread: Re: DHCP
Index(es):
- Date
- Thread