Re: DHCP - rootkit
hi ya noah
On Tue, 29 Oct 2002, Noah L. Meyerhans wrote:
> On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote:
> > i say modifying files is a give away .. that says
> > "come find me" .... which is trivial since its modified
> > binaries
>
> If they do it right, it's not a giveaway. If they're quick, thorough,
> and accurate, they can certainly do it right. On the other hand, I've
if they do get in... i wanna know within a second (wishfully) that they
got in ( an email is sent elsewhere of who/where they came from )
- than if i am online ... i got um in the act ...
i've done "rm their_code.c" while they are in the machine ...
makes um wonder.... :-) and move files around on them .. :-)
am not as worried about the determined hacker/crackers that
can modify binaries such that md5sum matches my tripewire db and
other security precautions (databases and baseline) of my servers
- if they do come visiting ... we've got a serious problem
and my clients aren't banks ( literally/figuratively )
i just want to make 90-95% of the attempts fail from the script kidies
and local wanna be admins that goes around changing the lan network,
config files, topology, passwds etc
- 80-90% of all these attempts are users trying to bypass
corp security policy
- or just playing .. tripping all the alrms in the process
of testing/learning what they can do
- and they very quickly find dhcp is disallowed :-)
and they cant send email that dhcp doesnt work :-)
and they cant randomly or add +1 to their current assigned ip#
to get online
- always leave an easy guinne pig ( decoys ) for them to play with ...
c ya
alvin
> seen cracked Solaris boxes on which the rootkit installed a patched
> version of GNU's ls in place of the default ls. That was a pretty
> obvious giveaway.
>
> The thing with rootkits is that they're pretty target-specific. They're
> not usually robust enough to be installed on a different Linux
> distribution or even a different version of the intended target distro.
> Rootkits aren't what I usually worry about; It's the determined,
> knowledgeable attackers that I don't like. Fortunately there aren't as
> many of them to worry about.
>
Reply to: