Re: 'rooted' NT/2K boxen?

From: zeno (bugtraq@cgisecurity.net)
Date: 05/02/02


From: zeno <bugtraq@cgisecurity.net>
To: keydet89@yahoo.com (H C)
Date: Thu, 2 May 2002 16:06:30 -0400 (EDT)


>
> Recently, there have been several messages posted to
> this list about rooted Linux boxen. My question is
> this...has anyone seen NT/2K boxen 'rooted', in the
> sense that a Linux box is usually rooted...completely
> taken over, trojaned binaries, backdoors, users
> installed, rootkit(s), tools copied over?
>
> If so, what, if any, info would you be willing to
> share about the system?

I haven't seen any type of windows 'rootkit' myself. For example a replacement of netstat, nbtstat, route, and other utilities to give proccess information etc...

If anyone knows of any let me know I'm interested. Of course the problem with getting windows
source is an issue.

- zeno@cgisecurity.com

>
> I'm trying to get an idea of how prevalant this sort
> of thing is, and also to see what's being done, so as
> to not only better protect my systems, but to assist
> me in building a better incident response methodology.
>
> Thanks.
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com