Re: Need to rootkit a machine

From: abuse (abuseat_private)
Date: Mon Sep 23 2002 - 08:25:02 PDT

Next message: Jared Stanbrough: "Re: Need to rootkit a machine"

Previous message: Christian Schaller: "Windows NT: information about printed documents"
In reply to: Mark Morrissey: "Need to rootkit a machine"
Next in thread: Jared Stanbrough: "Re: Need to rootkit a machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You could grab one of the old 'scans of the month' from the honeynet project.

http://project.honeynet.org/misc/chall.html


mike


At 08:39 AM 9/18/2002 -0700, Mark Morrissey wrote:

>I am teaching a class in computer forensics this fall term and want to
>give an assignment for students to investigate a machine that has been
>compromised. I would like the machine to have been compromised by me using
>a rootkit that includes at least some source. I have an image of a system
>that was compromised with t0rn, but the images are all too large to be
>easily used.
>
>My plan is to build a linux system using very small (about 200 MB) disks.
>The idea is then to rootkit this machine from another box. I'll put them
>on a private network so that I can be sure it was me who did the
>compromising. I'll then make the hard drives available on a different
>machine (unmounted) and let the students begin with imaging drives and go
>all the way through report writing.
>
>Does anyone know of a rootkit that has at least some source that would be
>good for this. I can build the machine from any version linux 6.0 or
>above. The reason for the source code is that I intend to shut down the
>compromised machine after deleting the source tree so that there is source
>code as well as binaries in the deleted space.
>
>Of course, I could be slightly insane, but that's another issue...
>
>--mark
>---
>Mark Morrissey                  markemat_private
>Lecturer in Computer Science    www.cs.pdx.edu/~markem
>
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------
www.webfargo.com
CCDA   CCNA   CCSA   CCSE   MCP+I   MCSE
PGP key available


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jared Stanbrough: "Re: Need to rootkit a machine"
Previous message: Christian Schaller: "Windows NT: information about printed documents"
In reply to: Mark Morrissey: "Need to rootkit a machine"
Next in thread: Jared Stanbrough: "Re: Need to rootkit a machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 08:27:22 PDT