Re: Urgent!!! My computer seems to be hacked, pls HELP!!!

Randy Yates wrote:
Chris Mattern <syscjm@xxxxxxx> writes:


René Berber wrote:

Darren Dunham wrote:


Unless the CD nukes any unknown (read non-OS) executable on the drive or
you have some known state to compare against (a la tripwire), I don't
see how you can effectively check a drive. It's certainly possible, but
requires you've done work before the attack. Afterward is too late.

Not true, and it really makes no sense continuing to discuss this.

Yes, true. Once a hacker gains root access to your box, you cannot
trust *any* program or library on it again. I thought this would've
been almost self-evident, but I guess it isn't to some people.


Instead of both sides making empty claims, why not back the claims up
with some specific, concrete examples or possibilities? I for one
would love to see how these "rootkits" accomplish their nasty tricks,
and would like to try my mind at defeating them.

Specific concrete examples are easy to see. You use lsof and ps
to see what's running on your box and what processes are running.
But lsof and ps are program files writable by anyone who has root;
the rootkit can rewrite them to its own specification. You use
ls to look at the files--the rootkit can rewrite this as well.
Every OS program on your system uses libc, which, once again, the
rootkit can rewrite so that you see only what it wants you to see.
In short, every bit of program code on your box can be rewritten
by the hacker so that it shows you only what he wants you to see.
If he reboots your box, he can even subvert the kernel itself. In
fact, he can subvert the kernel even *without* rebooting the box by
careful manipulation of memory. How can any of it be trusted?

--
Christopher Mattern

"Which one you figure tracked us?"
"The ugly one, sir."
"...Could you be more specific?"
.

Relevant Pages

  • Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
    ... A useful trick could be to copy common binaries like ps, lsof etc, to ... ls to look at the files--the rootkit can rewrite this as well. ...
    (comp.security.ssh)
  • Re: How to Lookup NAT Mapping?
    ... The rewrite itself happens as the packet traverses the ... rewrite of the packet's *source* address, whether you want it or not. ... This is the crux of our problem, because once the kernel has rewritten ... at least in the case of transparent proxying, or to ANTICIPATE how the ...
    (comp.os.linux.networking)
  • Re: Registration Weakness in Linux Kernels Binary formats
    ... On Tuesday 03 October 2006 23:08, Julio Auto wrote: ... The observation is in fact something that can be used by rootkit ... writers or developers of other forms of malware. ... being able to insert an arbitrary kernel module into the running kernel. ...
    (Linux-Kernel)
  • Re: Rootkit???? Have tried everything...literally...
    ... remove a rootkit - only detect them. ... and hooking a function call from the kernel to the hardware....the site has ... > | Please see quote below from Microsoft Research Strider Rootkit Project ... > | not provide query/enumeration APIs or does not provide ...
    (microsoft.public.security.virus)
  • Re: Rootkit
    ... I know Windows from about XP have a kernel but it really ... No where could I find mention of a Linux rootkit. ... That's why it's a good idea to install chkrootkit. ...
    (Fedora)