RE: NKADM rootkit - Something new?
From: Dave Paris (dparis_at_w3works.com)
Date: 05/28/04
- Previous message: Steven Trewick: "RE: Trojan of somesort - Update"
- In reply to: InfoSec_at_seba.com: "Re: NKADM rootkit - Something new?"
- Next in thread: Ferruh Mavituna: "RE: NKADM rootkit - Something new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Fri, 28 May 2004 06:19:10 -0400
the Operator live CD (based of Knoppix) is an outstanding variation on this
theme.
http://www.ussysadmin.com/operator/
Kind Regards,
-dsp
> -----Original Message-----
> From: InfoSec@seba.com [mailto:InfoSec@seba.com]
> Sent: Thursday, May 27, 2004 3:06 PM
> To: Paul Schmehl
> Cc: incidents@securityfocus.com
> Subject: Re: NKADM rootkit - Something new?
>
>
> Instead of Knoppix you may want to look at "Knoppix Security Tools Disto"
> at
> http://www.knoppix-std.org
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> This message and any files transmitted with it are
> proprietary and confidential. They are intended solely
> for the use of the individual or entity to whom they are
> addressed. If the reader of this message is not the
> intended recipient, please notify the sender immediately
> and delete this message. Distribution or copying of this
> message is prohibited.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
>
> Paul Schmehl <pauls@utdallas.edu>
> 05/26/2004 06:50 PM
>
> To: <incidents@securityfocus.com>
> cc:
> Subject: Re: NKADM rootkit - Something new?
>
>
> Since I posted my response in this thread, I've gotten several requests
> for
> my "tool list". There's really nothing magical about it.
>
> Foundstone has a number of useful tools - Forensic Toolkit (good for
> examing files), Vision (shows open TCP and UDP ports and what
> process owns
>
> them), BinText (strings for Windows).
>
> Go to http://www.foundstone.com/ and click on Resources/Free Tools.
>
> Systinternals has a number of tools that you'll probably find in the
> hackers' toolkits as well, particularly pslist and pskill. But look at
> their whole set. ListDLLs is very useful, as is Handle, PMon, Process
> Explorer (find function is *very* helpful), PSTools (pskill, pslist,
> psservice and several others.)
>
> Go to http://www.sysinternals.com/ and click on Utilities.
> All these tools are very useful. Particularly when you're dealing with a
> process or service that's been renamed and/or is elusive, something that
> can tie processes to PIDs and files with complete paths is a necessity.
>
> Another good tool is Active Ports, which will show you the process, PID,
> IP
> address (local and remote), ports (local and remote), state (listen,
> established) and path to the executable is extremely useful.
>
> Go to http://www.snapfiles.com/get/activeports.html
>
> More good tools may be found at http://www.ntutility.com/ (including
> Active
> Ports.)
>
> Of course Microsoft also has a useful set of utilities that few seem to
> know about. Among them is sc,tskill, tasklist, eventquery.vbs, pstat.exe
> (part of the SDK). These are handy in a pinch, but not as informative as
> the tools mentioned above.
>
> Another tool that I've found invaluable is F.I.R.E. It's a bootable,
> networkable CD ROM running Linux. I've been able to mount ntfs hard
> drives
> and scp the entire contents to a server, saving all the data from a
> crashed
> machine before formatting it and reinstalling the OS. (Saved the
> President's laptop once, becoming a hero in the process.) I've done
> forensics on a Win2K box, mounting the ntfs drives and making copies of
> all
> the logs and binaries I found without disturbing the contents of
> the drive
>
> or changing any of the file access information.
>
> Go to http://biatchux.dmzs.com/ to get a copy.
>
> The most recent update is dated 5/14/2003, so I don't know if it's being
> maintained or updated.
>
> You might want to consider Knoppix instead. It comes with a boatload of
> extra stuff you won't use for forensics, but it's a good way to get
> familiar with unix, if you're not already. It even has a working version
> of snort with ACID!
>
> Go to http:www.knoppix.net/ for more information.
>
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
>
>
>
>
>
- Previous message: Steven Trewick: "RE: Trojan of somesort - Update"
- In reply to: InfoSec_at_seba.com: "Re: NKADM rootkit - Something new?"
- Next in thread: Ferruh Mavituna: "RE: NKADM rootkit - Something new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
