[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Removing ShKit Root Kit
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
- From: Brian Eckman <eckman@umn.edu>
- Date: Mon, 22 Dec 2003 14:12:53 -0600
Schmehl, Paul L wrote:
<snip>
This advice is common, and it's always mystified me. Why would you want
backups of the "data"? If the box is compromised, you can't trust
*anything* on it, can you? How can you know for certain that "data"
isn't a cleverly concealed backdoor?
Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
considered relatively safe. If the attacker can later find a way to
chmod it and then execute it with the privliges needed to make it
harmful, then I imagine that they could find other ways of compromising
your machine as well.
For Windows, if it's a backdoor that is named something.txt, well,
again, the attacker would have to find a way to rename that file and
execute it with appropriate permissions. Again, I imagine that if they
can do that, that they could find other ways of compromising your
machine as well.
<snip>
Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html