Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

"René Berber" <rberber@xxxxxxxxxxxxxxx> writes:
Todd H. wrote:

René Berber writes:

Todd H. wrote:
Yup. It's the only way to get back to a known state. Wiping and
reinstalling from original media.

But that's not needed, you can find which process is using that
particular port and kill it (use lsof).

BUT, that assumes lsof hasn't been replaced.

Are we geting paranoid? So what if it was replaced, is it going to
lie and you are not going to catch the lie? Granted you need some
experience, knowledge and/or outside help.

Rene have you ever done forensic analysis on a system that had been
infected with a kernel mode rootkit installed? Do you work with folks
in a security operations center, or have a team at your company that
responds to incidents? You may need to widen your circle of
colleagues.

Do you have any experience at all?

Honestly, I was just wondering the same about you.

If you think that there aren't stealth malware out there and kernel
mode rootkits that can't be detected, I think you need to figure out
what exactly "0day" code is, why its prized in the black hat
community, and just how much of it is out there that AV and IDS
vendors don't yet know about.

Your mentality may get you cleaned up from a script kiddie attack, but
for all you know, you're probably working right now on a machine owned
by someone with just a little more knowledge than a script kiddie.

"Evade detection", you must be kidding.

Nope.

Arguing against flattening and rebuilding a compromised system? You
must be kidding.

FYI most rootkits are very simple, they install a modified telnet or
ssh and some scripts, that's it;

Most are. It's the rest your method is gonna screw ya hard if you
think you can use bandaids to patch up a compromised machine with
cancer.

and any good anti-virus detects those and you have the option of
using things like tripwire so you don't even need anti-virus.

Antivirus? Oh dear god--are you a windows drone?

Tripwire is great if you're using it already. But reread the original
post--what are the odds that the OP is a) using it and b) monitoring
changed files on a regular basis and c) able to undo anything that's
done? And here's the deal, if someone owns your system with a kernel
mode rootkit and can intercept library calls coming from a program
like tripwire, tripwire can be made to hum along like nothing is the
matter. That of course you could get around running the analysis from
a bootable CD.

If you really want to do things carefully, you can boot from a CD
and check your drive from there. There are several options for the
CD, I have "System Rescue CD".

Did you get a Hello Kitty sticker when you burned that CD?
If you think it's gonna clean you up from anything more than script
kiddie stuff, you have got a lot of learning to do.

Auditor and Helix would be better choices.

Sorry, I don't mean to shred you but you are strenuously clinging to
an assinine position on this one.

Best Regards,
--
Todd H.
http://www.toddh.net/
.