On Thu, 02 Nov 2006 06:47:02 PST, Brian Dessent said: > 8. Using rootkit installed in 6, get privilege and manipulate log files, > utmp, kernel state, et al. to cover any traces of a shutdown. "Funny.. when I left for lunch I was logged in and a screensaver running..." It's really hard to put the state back exactly the way it was - currently running processes are particularly obnoxious. At best, you can make it not-too-obtrusive. Of course, with *most* users, stealth isn't required, as they'll just assume the frikking thing crashed and rebooted again. It's also loads of fun if the box in question is a server that's being monitored by Big Brother or similar. Kinda hard to erase the 'red' marker on the big screen in the NOC. Similar comments apply to machines that report to a central syslog server...
Attachment:
pgpETL5u0J4Fy.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/