Detecting root kits?
Ben Boulanger
ben at blackavar.com
Mon Jun 23 13:23:23 EDT 2003
On Mon, 23 Jun 2003, Chris Brenton wrote:
> If you are wondering just how evil these kits can be, some further reading:
> http://www.sans.org/resources/idfaq/knark.php
>
> Note that knark can render MD5 and other checks useless while its loaded
> in the kernel.
There's far worse than that in the wild. At the last company I worked
for, I was the security guy. Someone asked me to come over and look at
one of their boxes - it was acting a little strange. Long story short, we
found that the attacker (you're right kevin! apologies) had tacked up a
gre tunnel using ipv6 addresses between his box and this person's. He was
essentially outsourcing content on his website to a massive network of
compromised machines. Very intricate... and interesting.
Ben
--
Judge not the horse by his saddle.
More information about the gnhlug-discuss
mailing list