Jason wrote:
OK, so how does the attacker get the ADS to run? If you open
something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as
an executable file. It's ignored.
The easy answer is start a command prompt and type
start something.txt:trouble.exe
You totally missed my point. If the
Sorry, I really hoped that this thread would die but ...
This is an excellent solution to the "restore" problem, as is Jumpstart
scripts and packages for Slowaris and (perhaps - I haven't tried using it)
portupgrade and some scripts for *BSD). Separating the "system" and the
"data" definitely cont
Actually, deleting the host file deletes all associated data streams.
If a file of the same name is created on the system, the ADS' will not
remain:
\> echo this is a test > notepad.txt
\> echo testing again > notepad.txt:ads
\> more < notepad.txt
this is a test
\> more < notepad.txt:ads
testing a
e system cannot find the file specified.
Just my two cents; carry on.
- Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
Sent: Monday, December 22, 2003 22:24
To: Schmehl, Paul L
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Removing ShKit Ro
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 04:24:08PM -0600)
> OK, so how does the attacker get the ADS to run? If you open
> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an
> executable file. It's ignored.
A quick google shows:
http://patriot.net/~carv
> -Original Message-
> From: Cael Abal [mailto:[EMAIL PROTECTED]
> Sent: 23 December 2003 15:08
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> |>> OK, so h
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
|>> OK, so how does the attacker get the ADS to run? If you open
|>> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as
|>> an executable file. It's ignored.
|
| The easy answer is start a command prompt and type
|
| start something.tx
OK, so how does the attacker get the ADS to run? If you open
something.txt in notepad, it doesn't launch the ADS
'trouble.exe' as an executable file. It's ignored.
The easy answer is start a command prompt and type
start something.txt:trouble.exe
it does not even have to be tagged .exe or .com
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Brian Eckman
> Sent: Monday, December 22, 2003 4:24 PM
> To: Nathan Bates
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
>
> OK, so
Thanks everyone for replies. I just took on this job for this client,
the past security admin did nothing hence theres a rootkit. I dont plan
on trying to save the box but its nice to look at forensic data so i
know what to look out for next time. I used the tool examiner to comment
the objdump
A dissenting view.
Okay, you (finally) figured out that your machine has been compromised
(and that "finally" is, upon my word, a personal reflection of how seldom
anyone is paying attention, but that's another thread). Without question,
IMHO, the machine's data cannot be trusted. Back it up (for
Hell, if the concern about valid data is nothing, why even restore the OS
and all, just allow the hacker unmitigated access from now till they tire,
or sell your system access to a pal...
>
> It always will depend on the situation. Is throwing away a few million
> transactions acceptible, when it
> Cc: [EMAIL PROTECTED]
> > Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
> >
> > There is exactly one way to properly clean up a rooted box:
> > backup the system (for later analysis and for keeping any
> > data that might be needed), wipe the disks and rei
Nathan Bates wrote:
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600)
[...]
For Windows, if it's a backdoor that is named something.txt, well,
again, the attacker would have to find a way to rename that file and
execute it with appropriate permissions. Again, I imagine that
"Schmehl, Paul L" to Alexander Schreiber:
> > There is exactly one way to properly clean up a rooted box:
> > backup the system (for later analysis and for keeping any
> > data that might be needed), wipe the disks and reinstall from
> > known clean install media, update the system to get all
Larry W. Cashdollar wrote:
On Mon, 22 Dec 2003, Brian Eckman wrote:
Schmehl, Paul L wrote:
Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
considered relatively safe. If the attacker can later find a way to
chmod it and then execute it with the privliges needed to make it
ha
On Mon, 22 Dec 2003 13:52:57 -0600
"Schmehl, Paul L" <[EMAIL PROTECTED]> wrote:
> This advice is common, and it's always mystified me. Why would you
> want backups of the "data"?
Because you may not hold a master copy of the data elsewhere or have
made a backup copy yet. There may be data o
Brian Eckman <[EMAIL PROTECTED]> wrote:
> What is a secure environment? If it was a secure environment, the
> machine would not have been compromised. Period.
As we all know nothing is 100% secure, so it can be compromised if
in a high secure environment or not.
> That might be a threat for thos
On Mon, 22 Dec 2003, Brian Eckman wrote:
> Schmehl, Paul L wrote:
> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> considered relatively safe. If the attacker can later find a way to
> chmod it and then execute it with the privliges needed to make it
> harmful, then I ima
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600)
[...]
> For Windows, if it's a backdoor that is named something.txt, well,
> again, the attacker would have to find a way to rename that file and
> execute it with appropriate permissions. Again, I imagine that if they
> can
Brian Eckman <[EMAIL PROTECTED]> wrote:
> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> considered relatively safe. If the attacker can later find a way to
> chmod it and then execute it with the privliges needed to make it
> harmful, then I imagine that they could find
Schmehl, Paul L wrote:
This advice is common, and it's always mystified me. Why would you want
backups of the "data"? If the box is compromised, you can't trust
*anything* on it, can you? How can you know for certain that "data"
isn't a cleverly concealed backdoor?
Hmmm. Well, if the execute bi
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Alexander Schreiber
> Sent: Monday, December 22, 2003 12:24 AM
> To: Chris
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
>
> There
Unless you have tripwire or some other signature records of the binaries
and all conf's for the system, you are best off to wipe and reinstall this
system from scratch. Even if you *do* have tripwire and md5 hashes of all
files on the system, you most likely will find it quicker yo wipe and
reins
On 22 Dec 2003, at 10:11, nicholas wrote:
To avoid this sort of thing in the future, and to help you find out
what
changed on your box, i'd look into www.lids.org, aide.sf.net,
ippersonality.sf.net and bits and pieces of the openwall.com project
for
server level security (not network/firewall lev
Can anyone reccomend some links or useful information for removing the
"ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
owned by a client of mine.
"Searching for ShKit rootkit default files and dirs... Possible ShKit
rootkit installed" <== chkrootkit output
I have only read
>Can anyone reccomend some links or useful information for removing the
>"ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
>owned by a client of mine.
>
>"Searching for ShKit rootkit default files and dirs... Possible ShKit
>rootkit installed" <== chkrootkit output
>
>I have on
On Sun, Dec 21, 2003 at 07:28:55PM -0500, Chris wrote:
> Can anyone reccomend some links or useful information for removing the
> "ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
> owned by a client of mine.
>
> "Searching for ShKit rootkit default files and dirs... Possibl
Chris wrote:
> Can anyone reccomend some links or useful information for removing
> the "ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat
> 8.0 server owned by a client of mine.
>
> "Searching for ShKit rootkit default files and dirs... Possible
> ShKit rootkit installed" <== chkrootkit o
Can anyone reccomend some links or useful information for removing the
"ShKit Rootkit". CHKROOTKIT detected this thing on a RedHat 8.0 server
owned by a client of mine.
"Searching for ShKit rootkit default files and dirs... Possible ShKit
rootkit installed" <== chkrootkit output
I have only re
30 matches
Mail list logo
