Re: IIS web server hacked..any tips?

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Strange command histories in hacked shell server"
• In reply to: David LeBlanc: "RE: IIS web server hacked..any tips?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: David LeBlanc <dleblanc@exchange.microsoft.com>
Date: Fri, 17 Dec 2004 13:32:59 -0500

On Thu, 16 Dec 2004 17:47:51 PST, David LeBlanc said:

> So you'd set the switch, boot the system, wait until you want to
> snapshot it, and then use the debugger to look at anything in memory you
> like. Windbg will do this, and I think SoftIce does, too. The owned
> system is defenseless against an external kernel debugger.

Well.. that's not *really* a totally external debugger. For starters, you're
assuming the system is cooperating enough to *start* the debugger, and to keep
talking to it. There's no good way to *force* (on the *hardware* level) the
system to cooperate across that serial cable. A *sufficiently* 0wned box can
simply ignore that port - it's just that no rootkits so far have bothered to
protect against it. (Think about it - if it's a boot.ini flag, all I have to
do is add a rootkit part that says "ignore that boot.ini flag" and the debugger
is useless....)

The ieee1394/iPod trick is different in that the external 1394 device literally
*CAN* force itself into the system on the hardware level and do DMA to suck out
all the RAM contents, totally without any cooperation from the system.

• application/pgp-signature attachment: stored

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Strange command histories in hacked shell server"
• In reply to: David LeBlanc: "RE: IIS web server hacked..any tips?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]