Re: Re[2]: Compromised Win2000 machine.
From: H C (keydet89@yahoo.com)Date: 05/31/02
- Previous message: Daniel Hay: "Re: Compromised Win2000 machine. - Follow UP"
- Maybe in reply to: Daniel Hay: "Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 31 May 2002 07:22:42 -0700 (PDT) From: H C <keydet89@yahoo.com> To: Joris De Donder <joris@digitaldefense.be>, l0t@securax.org
Thanks for the links...now, has anyone ever seen them
in use?
BTW...Hoglund's rootkit is a good link, but it's out
of context...the context of the thread was about
modifications to the binaries themselves, not the
kernel.
--- Joris De Donder <l0t@securax.org> wrote:
>
> HC> Remember...the Linux/*nix architectures are
> different
> HC> from that of NT/2K...and XP. I'm not saying
> that this
> HC> can't be done...I'm simply asking if anyone can
> show,
> HC> with proof, that this *has* been done? And it
> doesn't
> HC> have to be just netstat.exe...it can be any
> other
> HC> native tool. And binding the .exe file using
> HC> SaranWrap or EliteWrap doesn't count, as the
> basic
> HC> functionality still exists and all network
> connects
> HC> (netstat) will still be shown...
>
> * Fake netstat.exe (4/23/02):
>
http://kcom.org/tfiles/pafiledb.php?action=category&id=9
>
> * Another fake netstat.exe (Apr 24 17:18:22 2001):
>
http://packetstormsecurity.org/UNIX/penetration/rootkits/Netstat.zip
>
> * "A Rootkit for netstat under win2k, By ThreaT":
> http://www.madchat.org/coding/nethide.txt
>
> * Netstatp with source code:
> http://packetstormsecurity.org/NT/IDS/netstatp.zip
> [Could be used to build a netstat.exe clone]
>
> * ReactOS:
> http://www.reactos.com/
> "ReactOS is an Open Source effort to develop a
> quality
> operating system that is compatible with Windows NT
> applications and drivers."
> [Source code could be used to build a trojan
> cmd.exe,...]
>
> * NTRootkit:
> http://www.rootkit.com (seems to be down)
> http://www.phrack.com/show.php?p=55&a=5
>
http://www.megasecurity.org/Tools/Nt_rootkit_all.html
> "The NTRootKit project provides a framework for
> trojaning
> the NT kernel and applications, in much the same
> manner as
> rootkits for Linux and the various flavors of
> Unix."
>
> "New features:
> Embedded TCP/IP stack (stateless)
> [...snip...]
> NOTE: THIS MEANS THAT ROOTKIT DOES NOT SHOW UP IN
> NETSTAT
> Ideed, why would it? It's not using the NT stack."
>
>
> Regards,
> Joris De Donder
>
>
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Daniel Hay: "Re: Compromised Win2000 machine. - Follow UP"
- Maybe in reply to: Daniel Hay: "Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
