Re: root_drv.sys rootkit
From: Craig Paterson (craigp_at_tippett.com)
Date: 11/08/04
- Previous message: Roy Morris: "RE: root_drv.sys rootkit"
- In reply to: Dennis Dimka: "RE: root_drv.sys rootkit"
- Next in thread: Calder, James (EXP): "RE: root_drv.sys rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 08 Nov 2004 13:36:47 -0800 To: Dennis Dimka <dennis.dimka@manna.com>
Dennis Dimka wrote:
>Once you've cleaned it, you should also run a port scan against this machine
>to find any other listening ports on that box (accomplished attackers will
>put more than one on a box, should the admin find one).
>
>
Also bear in mind that if they're (rootkit authors) good, the ports
they're using won't necessarily show up in an nmap because the listening
process will only respond to some specific client addresses, or uses
port knocking to verify the client, etc...
As everyone else says, rebuilding is the only way to be sure.
Craig.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Roy Morris: "RE: root_drv.sys rootkit"
- In reply to: Dennis Dimka: "RE: root_drv.sys rootkit"
- Next in thread: Calder, James (EXP): "RE: root_drv.sys rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
