On Wed, 2003-02-26 at 15:36, Kai Lien wrote:
>
> One of our boxes got hack two nights ago. I believe it was LKM and
> chkrootkit agrees also. I suspected that the cracker was using port 443
> (https) to access the box since nmap from another box did not show any
> suspectable ports. I believe the cracker had used a bindtty.c utility to
> get a telnet prompt on tty1 using port 443. chkrootkit shows there were 1
> process hidden from ps command and 1 process hidden from readdir command.
>
> What tools are available to find out these hidden process?
If you've been rooted and aren't absolutely positive that you have
thoroughly scrubbed your system (through using a filesystem intrusion
detection utility like Integrit or AIDE or Tripwire) your best (and only
IMNSHO) recourse is to backup your data, put the install CD in the drive
and blow the whole thing away and start over.
Anything less and you risk having something left over on your system
that will open it right back up. Particularly if you've been
rootkitted.
If there is interest, I could probably do some sort of Intrusion
Detection presentation at one of the Tampa SLUG meetings coming up that
would briefly cover Snort (NIDS(1)) and Integrit (FIDS(2)). I could
probably dedicate about half an hour to a high-level overview of each
and maybe even rig up some kind of demonstration on how they work if I
can get access to a network or at least a switch I could plug a couple
machines into.
1) Network Intrusion Detection System
2) Filesystem Intrusion Detection System
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
| extract_mpeg2 | mpeg2dec -
http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
http://www.eff.org/ http://www.anti-dmca.org/
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:52:37 EDT