Re: Need to rootkit a machine

From: Jared Stanbrough (jaredsat_private)
Date: Mon Sep 23 2002 - 12:08:49 PDT

Next message: Kurt Seifried: "Re: Windows NT: information about printed documents"

Previous message: abuse: "Re: Need to rootkit a machine"
In reply to: Mark Morrissey: "Need to rootkit a machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Mark,

I would recommend using SuCKIT (http://sd.is.agent.fbi.cz/suckit) or Adore
(http://teso.scene.at/releases/adore-0.42.tgz). Both are kernel module
based trojans. SuCKIT is particularly interesting in that it works on
systems which do not have kernel module support built in.

I'm a student at PSU, if you'd ever like some volunteer help with compsec
related courses, I have quite a lot of experience and would love to help.

cheers,
--jared

On Wed, 18 Sep 2002, Mark Morrissey wrote:

>
> I am teaching a class in computer forensics this fall term and want to
> give an assignment for students to investigate a machine that has been
> compromised. I would like the machine to have been compromised by me using
> a rootkit that includes at least some source. I have an image of a system
> that was compromised with t0rn, but the images are all too large to be
> easily used.
>
> My plan is to build a linux system using very small (about 200 MB) disks.
> The idea is then to rootkit this machine from another box. I'll put them
> on a private network so that I can be sure it was me who did the
> compromising. I'll then make the hard drives available on a different
> machine (unmounted) and let the students begin with imaging drives and go
> all the way through report writing.
>
> Does anyone know of a rootkit that has at least some source that would be
> good for this. I can build the machine from any version linux 6.0 or
> above. The reason for the source code is that I intend to shut down the
> compromised machine after deleting the source tree so that there is source
> code as well as binaries in the deleted space.
>
> Of course, I could be slightly insane, but that's another issue...
>
> --mark
> ---
> Mark Morrissey			markemat_private
> Lecturer in Computer Science    www.cs.pdx.edu/~markem
>
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kurt Seifried: "Re: Windows NT: information about printed documents"
Previous message: abuse: "Re: Need to rootkit a machine"
In reply to: Mark Morrissey: "Need to rootkit a machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 14:09:51 PDT