Full Disclosure mailing list archives

Re: Rootkit

From: <kernelclue () hushmail com>
Date: Fri, 26 Sep 2003 14:53:41 -0700

Um, what operating system are you talking about?  What remote root exploits?

If it's a Linux variant, strings is your friend.

Also, I'm not sure if this is the proper forum for this type of question.
 One of the Security Focus mailing lists seems more appropriate.


On Fri, 26 Sep 2003 13:57:14 -0700 David Hane <dlhane () sbcglobal net>
wrote:

Hi all,

I recently had a machine get hacked before I could finish installing
all the 
damn remote-root exploit patches that have been released in the
last week.
I've done the forensics and I know how they got in and what they
did but I 
would like to know what rootkit they used.

Can anyone recommend a good scanner or info site where I can compare
some of 
the binaries I saved (the machine has been wiped)?

Also, am I the only one who is totally exhausted from trying to
keep up with 
the last couple of week's patch frenzy? I would have had my last
server 
patched before the attack but things like, sleep, food, and bathroom
time got 
in the way :-)

Thanks for the help,

Dave


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Rootkit, (continued)
- - Re: Rootkit David Hane (Sep 26)
    - Re: Rootkit Danny Pansters (Sep 26)
- Re: Rootkit Bruce Ediger (Sep 26)
  - Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 26)
  - Re: Rootkit Soren Jacobsen (Sep 26)
  - Re: Rootkit Paul Schmehl (Sep 26)
    - Re: Rootkit Nate Hill (Sep 27)
- RE: Rootkit Marcus H. Sachs (Sep 26)
  - RE: Rootkit Poof (Sep 26)
- Re: Rootkit kernelclue (Sep 26)
- Rootkit David Hane (Sep 26)
- RE: Rootkit Schmehl, Paul L (Sep 26)