Hi Mark, I would recommend using SuCKIT (http://sd.is.agent.fbi.cz/suckit) or Adore (http://teso.scene.at/releases/adore-0.42.tgz). Both are kernel module based trojans. SuCKIT is particularly interesting in that it works on systems which do not have kernel module support built in. I'm a student at PSU, if you'd ever like some volunteer help with compsec related courses, I have quite a lot of experience and would love to help. cheers, --jared On Wed, 18 Sep 2002, Mark Morrissey wrote: > > I am teaching a class in computer forensics this fall term and want to > give an assignment for students to investigate a machine that has been > compromised. I would like the machine to have been compromised by me using > a rootkit that includes at least some source. I have an image of a system > that was compromised with t0rn, but the images are all too large to be > easily used. > > My plan is to build a linux system using very small (about 200 MB) disks. > The idea is then to rootkit this machine from another box. I'll put them > on a private network so that I can be sure it was me who did the > compromising. I'll then make the hard drives available on a different > machine (unmounted) and let the students begin with imaging drives and go > all the way through report writing. > > Does anyone know of a rootkit that has at least some source that would be > good for this. I can build the machine from any version linux 6.0 or > above. The reason for the source code is that I intend to shut down the > compromised machine after deleting the source tree so that there is source > code as well as binaries in the deleted space. > > Of course, I could be slightly insane, but that's another issue... > > --mark > --- > Mark Morrissey markemat_private > Lecturer in Computer Science www.cs.pdx.edu/~markem > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 14:09:51 PDT