Re: DHCP - rootkit
On Fri, 01 Nov 2002 at 06:41:43PM -0400, Peter Cordes wrote: > MD5 is still believed to be secure. i.e. Nobody can modify a binary so > that it has different contents but the same MD5 hash, unless they are _very_ > _very_ lucky. The task becomes even more difficult if you check the length > of the file as well as the hash. if (filename == MYHACKEDFILE) { cout << "WHATEVERIEXPECTTHEMD5SUMTOBE" } AFA file legnth go...the kernel source is available and I am sure you could re-write that also... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #239: IRQ-problems with the Un-Interruptable-Power-Supply
Re: DHCP - rootkit
On Fri, 01 Nov 2002 at 06:41:43PM -0400, Peter Cordes wrote: > MD5 is still believed to be secure. i.e. Nobody can modify a binary so > that it has different contents but the same MD5 hash, unless they are _very_ > _very_ lucky. The task becomes even more difficult if you check the length > of the file as well as the hash. if (filename == MYHACKEDFILE) { cout << "WHATEVERIEXPECTTHEMD5SUMTOBE" } AFA file legnth go...the kernel source is available and I am sure you could re-write that also... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #239: IRQ-problems with the Un-Interruptable-Power-Supply -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 05:10:12PM -0800, Alvin Oga wrote: > am not as worried about the determined hacker/crackers that > can modify binaries such that md5sum matches my tripewire db and > other security precautions (databases and baseline) of my servers MD5 is still believed to be secure. i.e. Nobody can modify a binary so that it has different contents but the same MD5 hash, unless they are _very_ _very_ lucky. The task becomes even more difficult if you check the length of the file as well as the hash. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 05:10:12PM -0800, Alvin Oga wrote: > am not as worried about the determined hacker/crackers that > can modify binaries such that md5sum matches my tripewire db and > other security precautions (databases and baseline) of my servers MD5 is still believed to be secure. i.e. Nobody can modify a binary so that it has different contents but the same MD5 hash, unless they are _very_ _very_ lucky. The task becomes even more difficult if you check the length of the file as well as the hash. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
hi ya noah On Tue, 29 Oct 2002, Noah L. Meyerhans wrote: > On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: > > i say modifying files is a give away .. that says > > "come find me" which is trivial since its modified > > binaries > > If they do it right, it's not a giveaway. If they're quick, thorough, > and accurate, they can certainly do it right. On the other hand, I've if they do get in... i wanna know within a second (wishfully) that they got in ( an email is sent elsewhere of who/where they came from ) - than if i am online ... i got um in the act ... i've done "rm their_code.c" while they are in the machine ... makes um wonder :-) and move files around on them .. :-) am not as worried about the determined hacker/crackers that can modify binaries such that md5sum matches my tripewire db and other security precautions (databases and baseline) of my servers - if they do come visiting ... we've got a serious problem and my clients aren't banks ( literally/figuratively ) i just want to make 90-95% of the attempts fail from the script kidies and local wanna be admins that goes around changing the lan network, config files, topology, passwds etc - 80-90% of all these attempts are users trying to bypass corp security policy - or just playing .. tripping all the alrms in the process of testing/learning what they can do - and they very quickly find dhcp is disallowed :-) and they cant send email that dhcp doesnt work :-) and they cant randomly or add +1 to their current assigned ip# to get online - always leave an easy guinne pig ( decoys ) for them to play with ... c ya alvin > seen cracked Solaris boxes on which the rootkit installed a patched > version of GNU's ls in place of the default ls. That was a pretty > obvious giveaway. > > The thing with rootkits is that they're pretty target-specific. They're > not usually robust enough to be installed on a different Linux > distribution or even a different version of the intended target distro. > Rootkits aren't what I usually worry about; It's the determined, > knowledgeable attackers that I don't like. Fortunately there aren't as > many of them to worry about. >
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: > i say modifying files is a give away .. that says > "come find me" which is trivial since its modified > binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpY6PFenwrHX.pgp Description: PGP signature
Re: DHCP - rootkit
hi ya dale if anybody modifies the typical binaries.. i'll know within the hour.. hourly/randomly system checks or instaneously if i happen to be reading emails at the time ... they are attacking... i say modifying files is a give away .. that says "come find me" which is trivial since its modified binaries see below On Wed, 30 Oct 2002, Dale Amon wrote: > On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote: > > if they exploited a root vulnerability and got in... > > why modify silly binaries like ps, top, ls, find, etf ?? > > > > that gives themself away as having modified the system > > No it doesn't. It makes them and everything they do vanish > into thin air as if they weren't there. They can log into > you computer, create files, run a Warez and you can sit on > your remote terminal blithely unaware because nothing you > do will show you anything they are doing. > > Their files don't show in your ls > Their disk space usage doesn't show in your df > Their processes don't show on your ps thats dumb if you use the hacked binaries to check for them c ya alvin - most of the machines now days... even if they did get into my customers boxes.. they might not be able to run the programs ... just depends on which rootkit ( usually i get a copy of their attempts to get in ( once a year or so ..but it fails to run .. - thats when it gets fun
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote: > if they exploited a root vulnerability and got in... > why modify silly binaries like ps, top, ls, find, etf ?? > > that gives themself away as having modified the system No it doesn't. It makes them and everything they do vanish into thin air as if they weren't there. They can log into you computer, create files, run a Warez and you can sit on your remote terminal blithely unaware because nothing you do will show you anything they are doing. Their files don't show in your ls Their disk space usage doesn't show in your df Their processes don't show on your ps The attack script, if it is a good one, will not only crack root, it will install the root kit and clean up signs of the entry. They're actions are only visible for a matter of minutes or more likely seconds. A successful attack can be detected by a good admin, often by anomalous traffic on the LAN, or by comparison with tripwire files (with the comparison done off line by booting from a CD to run the checks against a tripwire db that was also off line). It is also the case that a lot of exploit scripts are much less than perfect and will leave some evidence. I have a few other forensic tricks for checking but I won't share them with strangers :-) -- -- Nuke bin Laden: Dale Amon, CEO/MD improve the global Islandone Society gene pool. www.islandone.org --
Re: DHCP - rootkit
hi ya dale > > Rootkits are *INSTALLED* after a successful root > exploit. maybe i missing something here ... that i been wonderng about for years.. if they exploited a root vulnerability and got in... why modify silly binaries like ps, top, ls, find, etf ?? that gives themself away as having modified the system if they quietly do what they do, like run irc chat or spam bomb just a few a day ... nobody might notice ??? ( until sleepy admin watch the logs or see whats running - erasing the logs is a dead give away you got a problem ( that something happened there's more alarms going off when things are modified on a normal box ?? if only irc ran ... it might be overlooked till the load on the box is too high ?? - changing/trojaning all the binaries will definitely give yourself away - either way... to trojan the binaries or not .. etiher way the sleepy admin wont notice... - sharp ones will catch it within a few minutes/hours... or not happen (not exploited) at all .. -- guess i would do a "minimum disturbance" if i got into somebodys box and wanted to use their resources as opposed to tripping over "everything" c ya alvin
Re: DHCP - rootkit
hi ya noah On Tue, 29 Oct 2002, Noah L. Meyerhans wrote: > On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: > > i say modifying files is a give away .. that says > > "come find me" which is trivial since its modified > > binaries > > If they do it right, it's not a giveaway. If they're quick, thorough, > and accurate, they can certainly do it right. On the other hand, I've if they do get in... i wanna know within a second (wishfully) that they got in ( an email is sent elsewhere of who/where they came from ) - than if i am online ... i got um in the act ... i've done "rm their_code.c" while they are in the machine ... makes um wonder :-) and move files around on them .. :-) am not as worried about the determined hacker/crackers that can modify binaries such that md5sum matches my tripewire db and other security precautions (databases and baseline) of my servers - if they do come visiting ... we've got a serious problem and my clients aren't banks ( literally/figuratively ) i just want to make 90-95% of the attempts fail from the script kidies and local wanna be admins that goes around changing the lan network, config files, topology, passwds etc - 80-90% of all these attempts are users trying to bypass corp security policy - or just playing .. tripping all the alrms in the process of testing/learning what they can do - and they very quickly find dhcp is disallowed :-) and they cant send email that dhcp doesnt work :-) and they cant randomly or add +1 to their current assigned ip# to get online - always leave an easy guinne pig ( decoys ) for them to play with ... c ya alvin > seen cracked Solaris boxes on which the rootkit installed a patched > version of GNU's ls in place of the default ls. That was a pretty > obvious giveaway. > > The thing with rootkits is that they're pretty target-specific. They're > not usually robust enough to be installed on a different Linux > distribution or even a different version of the intended target distro. > Rootkits aren't what I usually worry about; It's the determined, > knowledgeable attackers that I don't like. Fortunately there aren't as > many of them to worry about. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
A rootkit is a selection of modified standard programs that usually replace (among others) ls ps netstat users and pretty much everything else you would use to check your machine. It will also include a backdoor. Sometimes the primary part of the rootkit is either a module or a complete replacement of the kernel with one that does not respond to the normal users (root) with any info about the new owner. Rootkits are *INSTALLED* after a successful root exploit.
Re: DHCP - rootkit
hi ya rick yes... got that part ... ( the after breaking in part ) was exepecting to see "it helps one to breakin and exploit the vulnerabilities" so it didn't sink in at first when i was reading all the talk-backs ( didnt see what i wanted to see ;-) thanx alvin On Mon, 28 Oct 2002, Rick Moen wrote: > Quoting Alvin Oga ([EMAIL PROTECTED]): > > > i read all the talkbacks... > > - no definition of rootkit posted in the talkbacks > > Look again. > > Anyhow, a rootkit is not "anything that allows an un-educated user to > just run that tool to break into other peoples network and machines". > It's something the intruder uses _after_ breaking in. >
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: > i say modifying files is a give away .. that says > "come find me" which is trivial since its modified > binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07581/pgp0.pgp Description: PGP signature
Re: DHCP - rootkit
hi ya dale if anybody modifies the typical binaries.. i'll know within the hour.. hourly/randomly system checks or instaneously if i happen to be reading emails at the time ... they are attacking... i say modifying files is a give away .. that says "come find me" which is trivial since its modified binaries see below On Wed, 30 Oct 2002, Dale Amon wrote: > On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote: > > if they exploited a root vulnerability and got in... > > why modify silly binaries like ps, top, ls, find, etf ?? > > > > that gives themself away as having modified the system > > No it doesn't. It makes them and everything they do vanish > into thin air as if they weren't there. They can log into > you computer, create files, run a Warez and you can sit on > your remote terminal blithely unaware because nothing you > do will show you anything they are doing. > > Their files don't show in your ls > Their disk space usage doesn't show in your df > Their processes don't show on your ps thats dumb if you use the hacked binaries to check for them c ya alvin - most of the machines now days... even if they did get into my customers boxes.. they might not be able to run the programs ... just depends on which rootkit ( usually i get a copy of their attempts to get in ( once a year or so ..but it fails to run .. - thats when it gets fun -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote: > if they exploited a root vulnerability and got in... > why modify silly binaries like ps, top, ls, find, etf ?? > > that gives themself away as having modified the system No it doesn't. It makes them and everything they do vanish into thin air as if they weren't there. They can log into you computer, create files, run a Warez and you can sit on your remote terminal blithely unaware because nothing you do will show you anything they are doing. Their files don't show in your ls Their disk space usage doesn't show in your df Their processes don't show on your ps The attack script, if it is a good one, will not only crack root, it will install the root kit and clean up signs of the entry. They're actions are only visible for a matter of minutes or more likely seconds. A successful attack can be detected by a good admin, often by anomalous traffic on the LAN, or by comparison with tripwire files (with the comparison done off line by booting from a CD to run the checks against a tripwire db that was also off line). It is also the case that a lot of exploit scripts are much less than perfect and will leave some evidence. I have a few other forensic tricks for checking but I won't share them with strangers :-) -- -- Nuke bin Laden: Dale Amon, CEO/MD improve the global Islandone Society gene pool. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
hi ya dale > > Rootkits are *INSTALLED* after a successful root > exploit. maybe i missing something here ... that i been wonderng about for years.. if they exploited a root vulnerability and got in... why modify silly binaries like ps, top, ls, find, etf ?? that gives themself away as having modified the system if they quietly do what they do, like run irc chat or spam bomb just a few a day ... nobody might notice ??? ( until sleepy admin watch the logs or see whats running - erasing the logs is a dead give away you got a problem ( that something happened there's more alarms going off when things are modified on a normal box ?? if only irc ran ... it might be overlooked till the load on the box is too high ?? - changing/trojaning all the binaries will definitely give yourself away - either way... to trojan the binaries or not .. etiher way the sleepy admin wont notice... - sharp ones will catch it within a few minutes/hours... or not happen (not exploited) at all .. -- guess i would do a "minimum disturbance" if i got into somebodys box and wanted to use their resources as opposed to tripping over "everything" c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
A rootkit is a selection of modified standard programs that usually replace (among others) ls ps netstat users and pretty much everything else you would use to check your machine. It will also include a backdoor. Sometimes the primary part of the rootkit is either a module or a complete replacement of the kernel with one that does not respond to the normal users (root) with any info about the new owner. Rootkits are *INSTALLED* after a successful root exploit. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
hi ya rick yes... got that part ... ( the after breaking in part ) was exepecting to see "it helps one to breakin and exploit the vulnerabilities" so it didn't sink in at first when i was reading all the talk-backs ( didnt see what i wanted to see ;-) thanx alvin On Mon, 28 Oct 2002, Rick Moen wrote: > Quoting Alvin Oga ([EMAIL PROTECTED]): > > > i read all the talkbacks... > > - no definition of rootkit posted in the talkbacks > > Look again. > > Anyhow, a rootkit is not "anything that allows an un-educated user to > just run that tool to break into other peoples network and machines". > It's something the intruder uses _after_ breaking in. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
Quoting Alvin Oga ([EMAIL PROTECTED]): > i read all the talkbacks... > - no definition of rootkit posted in the talkbacks Look again. Anyhow, a rootkit is not "anything that allows an un-educated user to just run that tool to break into other peoples network and machines". It's something the intruder uses _after_ breaking in. -- Cheers, "Learning Java has been a slow and tortuous process for me. Every Rick Moen few minutes, I start screaming 'No, you fools!' and have to go [EMAIL PROTECTED] read something from _Structure and Interpretation of Computer Programs_ to de-stress." -- The Cube, www.forum3000.org
Re: DHCP - rootkit
hi ya rick On Mon, 28 Oct 2002, Rick Moen wrote: > Quoting Alvin Oga ([EMAIL PROTECTED]): > >> Um, Alvin? You might want to look up the definition of "rootkit". > > > > my definition ... anything that allows an un-educated user to just > > run that tool to break into other peoples network and machines > > ( there's too many "rootkits" to count ) > > That's just not what a rootkit is. Sorry. like i said ... that was my definition in 1 minute... if you like a more formal definition of "rootkit" ... http://whatis.techtarget.com/definition/0,289893,sid9_gci547279,00.html > >> This confusion has also come up elsewhere, on LinuxToday: > >> http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV > > > > tht just talks about arresting some poor soul ?? > > Read the talkbacks, at the bottom. i read all the talkbacks... - no definition of rootkit posted in the talkbacks - mostly the same arguments ( reformat or figure out what happened arguements after ( being kitted - reformatting or resinstalling etc is bad ... in my book > >>> - spoofing and other techie stuff requires one more year of school > >> > >> Setting a fake MAC address requires nothing more than reading the > >> ifconfig manpage. Acquiring one to "borrow" requires nothing more than > >> unning tcpdump or equivalent. > > > > yes... but setting up a fake mac address and few additional things > > to do is the next level above the ordinary "tom-dick-harry" that > > receives a rootkit via email, clicks it and now gets to attack > > any machine susceptible to that rootkit > > 1. That's not what a rootkit does. okay ... i agree ... use "hacking tools or script kiddit tools" in its place or any other preferred word of choice > 2. The sophistication required to read an ifconfig manpage is mighty > low. yup ... but still 1 level higher than all the "click on anything" script kiddies have fun alvin
Re: DHCP - rootkit
Quoting Alvin Oga ([EMAIL PROTECTED]): > i read all the talkbacks... > - no definition of rootkit posted in the talkbacks Look again. Anyhow, a rootkit is not "anything that allows an un-educated user to just run that tool to break into other peoples network and machines". It's something the intruder uses _after_ breaking in. -- Cheers, "Learning Java has been a slow and tortuous process for me. Every Rick Moen few minutes, I start screaming 'No, you fools!' and have to go [EMAIL PROTECTED] read something from _Structure and Interpretation of Computer Programs_ to de-stress." -- The Cube, www.forum3000.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
hi ya rick On Mon, 28 Oct 2002, Rick Moen wrote: > Quoting Alvin Oga ([EMAIL PROTECTED]): > >> Um, Alvin? You might want to look up the definition of "rootkit". > > > > my definition ... anything that allows an un-educated user to just > > run that tool to break into other peoples network and machines > > ( there's too many "rootkits" to count ) > > That's just not what a rootkit is. Sorry. like i said ... that was my definition in 1 minute... if you like a more formal definition of "rootkit" ... http://whatis.techtarget.com/definition/0,289893,sid9_gci547279,00.html > >> This confusion has also come up elsewhere, on LinuxToday: > >> http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV > > > > tht just talks about arresting some poor soul ?? > > Read the talkbacks, at the bottom. i read all the talkbacks... - no definition of rootkit posted in the talkbacks - mostly the same arguments ( reformat or figure out what happened arguements after ( being kitted - reformatting or resinstalling etc is bad ... in my book > >>> - spoofing and other techie stuff requires one more year of school > >> > >> Setting a fake MAC address requires nothing more than reading the > >> ifconfig manpage. Acquiring one to "borrow" requires nothing more than > >> unning tcpdump or equivalent. > > > > yes... but setting up a fake mac address and few additional things > > to do is the next level above the ordinary "tom-dick-harry" that > > receives a rootkit via email, clicks it and now gets to attack > > any machine susceptible to that rootkit > > 1. That's not what a rootkit does. okay ... i agree ... use "hacking tools or script kiddit tools" in its place or any other preferred word of choice > 2. The sophistication required to read an ifconfig manpage is mighty > low. yup ... but still 1 level higher than all the "click on anything" script kiddies have fun alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]