Re: how to fix rootkit?
Reading memory after turning off? There are a easy way to it?
When I said "your own binaries", I mean "get fresh copies of binaries
and use in system with a USB stick or something like that. Do not use
the compromised system binaries". That's it. ;-)
BR,
Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
softwarelivre-rj.org
@MenteBinaria
------------------------------------
II Hack'n Rio - 23 e 24/11
hacknrio.org
------------------------------------
On Wed, Feb 8, 2012 at 2:55 PM, Michael Stummvoll <michael@stummi.org> wrote:
> On 08.02.2012 17:03, Fernando Mercês wrote:
>> Humm... you're all right, dumping before reboot is much better.
>>
>> Another tip: dump with your own dd/rsync binary copies. Remember: you
>> cannot trust this system.
>>
>> You can also capture some network traffic and general volatile data
>> (memory) before reboot.
>>
> Strictly said, you either cannot trust that you call your own binary copies then or they work as expected an a rootkitted machine.
>
> Another way would be hard turning off the machine. You have a little risk to get an inconsitent filesystem or swap than, but you have a "freezed" version of you rootkitted system while running.
> But you may not get to the content of your ram that, except you can use forensic tools or so for reading the memory after turning off or something.
>
> Kind Regards,
> Michael
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 4F32A8E5.1060806@stummi.org">http://lists.debian.org/4F32A8E5.1060806@stummi.org
>
Reply to: