Re: fun with posiden rootkit
From: Dave Dittrich (dittrich@cac.washington.edu)Date: 03/26/02
- Previous message: Skip Carter: "Re: fun with posiden rootkit"
- In reply to: Skip Carter: "Re: fun with posiden rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Mar 2002 23:36:33 -0800 (PST) From: Dave Dittrich <dittrich@cac.washington.edu> To: Skip Carter <skip@taygeta.com>
On Mon, 25 Mar 2002, Skip Carter wrote:
> > - sometimes checking failed script-kiddies can be entertaining if time
> > permits to look around for any funny stuff
>
> I had one incident that I investigated for a client recently.
>
> It was the usual: gain entry, install rootkit, install password
> scanner, etc. Except he did it in the wrong order, so that his
> password scanner caught his own connection back to his rootkit
> archive; so when I started my investigation I was able to log in
> to his archive and pick up his entire stash of tools.
I can't tell you how many times I've seen that over the years,
e.g.:
http://staff.washington.edu/dittrich/talks/security/case1/hacksniff.txt
This kind of thing is, according to an Assistant US Attorney, "a slam
dunk" violation of the Wiretap statute. With a little correlation
of events via timestamps on files and other logins in the sniffer
file, you can show a direct link between an intruder, the sniffer,
and the "fruits of crime" (the sniffed passwords). If you can get
the owner of the site to save a copy for law enforcement (rather than
popping in yourself and copying files), there is corroborating
evidence from an independant source.
Then again, I've also seen the following:
/*
* dontsniff2.c by XXXXXXXX (today: 13 Nov 1998)
* Regards to both XXXXXX and XXXXXXX ;)
* Paper:
* T.Ptacek, T.Newsham "Insertion, Evasion, and Denial of Service: Eluding
* Network Intrusion Detection," Secure Networks, Inc. January, 1998
* Greetings to XXX@!#$
* Description:
* this daemon add little protection from some kind of sniffers and IDS
* How it work (in default mode: -fffdFD):
* 1. send fake data packets with random garbage on every ACK packet -
* - sniffer log fake data.
* 2. send fake FIN packets on every SYN packet -
* - sniffer "think" connection closed and stop logging.
* "fake" mean - it good packets for sniffer but really ignored by most
* of computer systems in internet cause they have invalid sequence number.
*/
Moral of the story: don't expect to be lucky all the time, and trust
packets found on the network, not files found on a compromised host.
-- Dave Dittrich Computing & Communications dittrich@cac.washington.edu University Computing Services http://staff.washington.edu/dittrich University of WashingtonPGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Skip Carter: "Re: fun with posiden rootkit"
- In reply to: Skip Carter: "Re: fun with posiden rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
