Re: NKADM rootkit - Something new?

InfoSec_at_seba.com
Date: 05/27/04

  • Next message: Derek: "Re: Trojan of somesort - Update" 
    To: Paul Schmehl <pauls@utdallas.edu>
Date: Thu, 27 May 2004 15:05:40 -0400

    Instead of Knoppix you may want to look at "Knoppix Security Tools Disto"
    at
    http://www.knoppix-std.org

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    This message and any files transmitted with it are
    proprietary and confidential. They are intended solely
    for the use of the individual or entity to whom they are
    addressed. If the reader of this message is not the
    intended recipient, please notify the sender immediately
    and delete this message. Distribution or copying of this
    message is prohibited.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Paul Schmehl <pauls@utdallas.edu>
    05/26/2004 06:50 PM
     
            To: <incidents@securityfocus.com>
            cc:
            Subject: Re: NKADM rootkit - Something new?

    Since I posted my response in this thread, I've gotten several requests
    for
    my "tool list". There's really nothing magical about it.

    Foundstone has a number of useful tools - Forensic Toolkit (good for
    examing files), Vision (shows open TCP and UDP ports and what process owns

    them), BinText (strings for Windows).

    Go to http://www.foundstone.com/ and click on Resources/Free Tools.

    Systinternals has a number of tools that you'll probably find in the
    hackers' toolkits as well, particularly pslist and pskill. But look at
    their whole set. ListDLLs is very useful, as is Handle, PMon, Process
    Explorer (find function is *very* helpful), PSTools (pskill, pslist,
    psservice and several others.)

    Go to http://www.sysinternals.com/ and click on Utilities.
    All these tools are very useful. Particularly when you're dealing with a
    process or service that's been renamed and/or is elusive, something that
    can tie processes to PIDs and files with complete paths is a necessity.

    Another good tool is Active Ports, which will show you the process, PID,
    IP
    address (local and remote), ports (local and remote), state (listen,
    established) and path to the executable is extremely useful.

    Go to http://www.snapfiles.com/get/activeports.html

    More good tools may be found at http://www.ntutility.com/ (including
    Active
    Ports.)

    Of course Microsoft also has a useful set of utilities that few seem to
    know about. Among them is sc,tskill, tasklist, eventquery.vbs, pstat.exe
    (part of the SDK). These are handy in a pinch, but not as informative as
    the tools mentioned above.

    Another tool that I've found invaluable is F.I.R.E. It's a bootable,
    networkable CD ROM running Linux. I've been able to mount ntfs hard
    drives
    and scp the entire contents to a server, saving all the data from a
    crashed
    machine before formatting it and reinstalling the OS. (Saved the
    President's laptop once, becoming a hero in the process.) I've done
    forensics on a Win2K box, mounting the ntfs drives and making copies of
    all
    the logs and binaries I found without disturbing the contents of the drive

    or changing any of the file access information.

    Go to http://biatchux.dmzs.com/ to get a copy.

    The most recent update is dated 5/14/2003, so I don't know if it's being
    maintained or updated.

    You might want to consider Knoppix instead. It comes with a boatload of
    extra stuff you won't use for forensics, but it's a good way to get
    familiar with unix, if you're not already. It even has a working version
    of snort with ACID!

    Go to http:www.knoppix.net/ for more information.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/ir/security/

  • Next message: Derek: "Re: Trojan of somesort - Update"

    Relevant Pages

    • RE: NKADM rootkit - Something new?
      ... > To: Paul Schmehl ... > Another good tool is Active Ports, which will show you the process, PID, ... > forensics on a Win2K box, mounting the ntfs drives and making copies of ... > You might want to consider Knoppix instead. ...
      (Incidents)
    • Re: SERIOUS HDD PROBLEM - NUKED XP - CANT GET WINDOWS GOING AGAIN
      ... The icon under ... knoppix on E: called HDA1 is in fact a shortcut back to the newly formatted ... When I got back XP's access to the other drives, ... I reinstalled W/XP from scratch to the newly ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Windows is automatically protecting my files and wont give me
      ... Boot the machine with a Linux live cd such as Knoppix. ... Once the data is safe, do a Repair Install. ... format the drive and start over with a clean install of Windows. ... drives but gave an error when trying to access my C: ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Unmountable_boot_volume
      ... slave it in a working XP box or use Knoppix. ... know if the hardware is bad or if this is a Windows issue. ... An easy way to retrieve Windows files is to boot with Knoppix, ... You will need a computer with two cd drives, ...
      (microsoft.public.windowsxp.general)
    • Re: Unmountable_boot_volume
      ... "Malke" wrote: ... > slave it in a working XP box or use Knoppix. ... > know if the hardware is bad or if this is a Windows issue. ... You will need a computer with two cd drives, ...
      (microsoft.public.windowsxp.general)
    • Quantcast