[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Removing ShKit Root Kit

To: Brian Eckman <eckman@umn.edu>
Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
From: "Larry W. Cashdollar" <lwc@vapid.ath.cx>
Date: Mon, 22 Dec 2003 16:33:02 -0500 (EST)

On Mon, 22 Dec 2003, Brian Eckman wrote:

> Schmehl, Paul L wrote:

> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> considered relatively safe. If the attacker can later find a way to
> chmod it and then execute it with the privliges needed to make it
> harmful, then I imagine that they could find other ways of compromising
> your machine as well.
>

The attacker could have also added a new user to your oracle database, so
I see where Paul is coming from.   Restoring actual data from a known good
copy is a better idea. I suspect that most people keep a backup copy
(raw dd) of a compromised system for the feds and a copy for themselves to
explore.  Other than that nothing can be trusted from the compromised
system.

-- Larry C$

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Removing ShKit Root Kit
  - From: Brian Eckman <eckman@umn.edu>

References:
- Re: [Full-Disclosure] Removing ShKit Root Kit
  - From: Brian Eckman <eckman@umn.edu>

Prev by Date: Re: [Full-Disclosure] Removing ShKit Root Kit
Next by Date: Re: [Full-Disclosure] Removing ShKit Root Kit
Previous by thread: Re: [Full-Disclosure] Removing ShKit Root Kit
Next by thread: Re: [Full-Disclosure] Removing ShKit Root Kit
Index(es):
- Date
- Thread