Re: Re[2]: Compromised Win2000 machine.

From: H C (keydet89@yahoo.com)
Date: 05/31/02


Date: Fri, 31 May 2002 07:22:42 -0700 (PDT)
From: H C <keydet89@yahoo.com>
To: Joris De Donder <joris@digitaldefense.be>, l0t@securax.org

Thanks for the links...now, has anyone ever seen them
in use?

BTW...Hoglund's rootkit is a good link, but it's out
of context...the context of the thread was about
modifications to the binaries themselves, not the
kernel.

--- Joris De Donder <l0t@securax.org> wrote:
>
> HC> Remember...the Linux/*nix architectures are
> different
> HC> from that of NT/2K...and XP. I'm not saying
> that this
> HC> can't be done...I'm simply asking if anyone can
> show,
> HC> with proof, that this *has* been done? And it
> doesn't
> HC> have to be just netstat.exe...it can be any
> other
> HC> native tool. And binding the .exe file using
> HC> SaranWrap or EliteWrap doesn't count, as the
> basic
> HC> functionality still exists and all network
> connects
> HC> (netstat) will still be shown...
>
> * Fake netstat.exe (4/23/02):
>
http://kcom.org/tfiles/pafiledb.php?action=category&id=9
>
> * Another fake netstat.exe (Apr 24 17:18:22 2001):
>
http://packetstormsecurity.org/UNIX/penetration/rootkits/Netstat.zip
>
> * "A Rootkit for netstat under win2k, By ThreaT":
> http://www.madchat.org/coding/nethide.txt
>
> * Netstatp with source code:
> http://packetstormsecurity.org/NT/IDS/netstatp.zip
> [Could be used to build a netstat.exe clone]
>
> * ReactOS:
> http://www.reactos.com/
> "ReactOS is an Open Source effort to develop a
> quality
> operating system that is compatible with Windows NT
> applications and drivers."
> [Source code could be used to build a trojan
> cmd.exe,...]
>
> * NTRootkit:
> http://www.rootkit.com (seems to be down)
> http://www.phrack.com/show.php?p=55&a=5
>
http://www.megasecurity.org/Tools/Nt_rootkit_all.html
> "The NTRootKit project provides a framework for
> trojaning
> the NT kernel and applications, in much the same
> manner as
> rootkits for Linux and the various flavors of
> Unix."
>
> "New features:
> Embedded TCP/IP stack (stateless)
> [...snip...]
> NOTE: THIS MEANS THAT ROOTKIT DOES NOT SHOW UP IN
> NETSTAT
> Ideed, why would it? It's not using the NT stack."
>
>
> Regards,
> Joris De Donder
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Getting netstat information-via a driver..
    ... get information like netstat -i,netstat -a,netstat -s. ... Going through the source code of netstat,what it does is accessing ... the kernel updates these /proc filesytem).. ...
    (comp.os.linux.development.system)
  • Re: Registration Weakness in Linux Kernels Binary formats
    ... On Tuesday 03 October 2006 23:08, Julio Auto wrote: ... The observation is in fact something that can be used by rootkit ... writers or developers of other forms of malware. ... being able to insert an arbitrary kernel module into the running kernel. ...
    (Linux-Kernel)
  • Re: Rootkit???? Have tried everything...literally...
    ... remove a rootkit - only detect them. ... and hooking a function call from the kernel to the hardware....the site has ... > | Please see quote below from Microsoft Research Strider Rootkit Project ... > | not provide query/enumeration APIs or does not provide ...
    (microsoft.public.security.virus)
  • Re: Rootkit
    ... I know Windows from about XP have a kernel but it really ... No where could I find mention of a Linux rootkit. ... That's why it's a good idea to install chkrootkit. ...
    (Fedora)
  • Re: [Full-disclosure] one of my servers has been compromized
    ... Say the kernel has a rootkit and is ... connections, how do you find out what those connections are and what ... For instance say you got a guy with a userland rootkit. ... Also not everything has to be done in userland to get done. ...
    (Full-Disclosure)