Re: IIS web server hacked..any tips?

[Valdis.Kletnieks () vt edu]

On Thu, 16 Dec 2004 17:47:51 PST, David LeBlanc said:

> So you'd set the switch, boot the system, wait until you want to
> snapshot it, and then use the debugger to look at anything in memory you
> like. Windbg will do this, and I think SoftIce does, too. The owned
> system is defenseless against an external kernel debugger.

Well.. that's not *really* a totally external debugger.  For starters, you're
assuming the system is cooperating enough to *start* the debugger, and to keep
talking to it.  There's no good way to *force* (on the *hardware* level) the
system to cooperate across that serial cable.  A *sufficiently* 0wned box can
simply ignore that port - it's just that no rootkits so far have bothered to
protect against it.  (Think about it - if it's a boot.ini flag, all I have to
do is add a rootkit part that says "ignore that boot.ini flag" and the debugger
is useless....)

The ieee1394/iPod trick is different in that the external 1394 device literally
*CAN* force itself into the system on the hardware level and do DMA to suck out
all the RAM contents, totally without any cooperation from the system.

Attachment: _bin
Description: