Detecting root kits?
Jason Stephenson
jason at sigio.com
Mon Jun 23 12:15:19 EDT 2003
Ben Boulanger wrote:
> Then by this logic, -anything- you do, except for pulling the drive and
> mounting it in a system or booting off of a CD is suspect. While the most
> correct way, it's also the most impractical. You can find rootkits on
> systems with a much more minimal effort. Will you find the really good
> hackers? No - but you won't find them if you boot off of a CD either.
Yeppers. Which is why, when I find a compromised box, and I've verified
that it is compromised, I wipe that baby clean. If the person(s)
repsponsible for the box failed to do back ups of important data, well
tough they just lost the data. If it was so important, then they should
have kept the box patched, run backups regularly, and done anything else
required to protect their data.
In general, the boxes that I've seen get compromised are default
installs that were generally set up by the user and then left alone. In
some cases, the admins responsible for the network were told not to
touch the machines that the users (well the grad. students) would do the
admin duties. Uh, yeah, right. That policy changed just before I left.
Now, this summer, they're looking for another admin, so I may just get
my old job back.
(No, I wasn't fired. Like the dumbass that I am, I quit in order to move
to Massachusetts, where I've not found a regular job in almost a year.
If it weren't for two tiny consulting gigs I've had, I'd be totally
toast. As it is, if I don't get the job in KY, I'm going to start
bartending to pay the bills. Ah, but you don't care about that.)
>
> The short of it is, if you think you're compromised, you probably are.
> Look around and you're sure to find something. Real hackers don't go
> after these kind of boxes - not even as jump points. You're dealing with
> script kiddies and script kiddies tend to not cover tracks well.
Some of them even advertise (to you) that they've cracked you. Check the
binaries with a good copy of strings. A lot of times, you'll find the
kiddie's IRC handle in there. Heh, in one case, a comp'd box was running
bitchx to serve files over IRC. I connected to the channel and started
chatting with the kid from Holland who had compromised the box. It was
fun playing with his mind, telling him that I 0wnz0r'd "his" box and to
prove it, I shut down bitchx, cut his back doors, then hit the power
switch on the machine. (Mwa-ha-ha! You gotta understand after a
frustrating week of dealing with users and finding 4 compromised
machines in a lab that we weren't responsible for originally...well, I
had to let off some steam.)
In another case, we found a compromised box where the person who cracked
it actually installed the update patches to prevent anyone else from
0wnz0r1ng it. I don't think this was a "real" hacker or cracker, but a
script k1d that was a cut above the rest.
Anyway, I was glad to be doing UNIX admin. The Windows admins had their
hands full with Trojans and virii. Of course, we had mail filters, and
virus checkers and all that jazz, and they tried to keep the machines
patched up, but when you have users who'll download any old crap off the
web and run it, what can you do? Wipe and reinstall, and oh by the way,
you did back up the payroll data, didn't you?--BOFH got nothing on me!
More information about the gnhlug-discuss
mailing list