i wanted to ask if anyone know of any tools that explicitely are designed to basically hack logfiles but without getting access to the system (ie rm -f /var/log/SYSLOG). what you do is you abuse the server's respect of the backspace character to overwrite your malicious request with a more normal looking one. example: send in a request to a web server for, say ..\..\system32\cmd.exe but follow it up with ^H^H^H^H^HNormal Looking Log Entry .... simple nomad described this technique in a talk entitled "stealth communications across networks" at blackhat '00 and SANS '01. i've been coding a tool to implement some of his methods, this technique (the backspace one, or the huge buffer to overflow the flex scanner (1)) included. any other tools out there to do this? mine may never see public release so ... notes: 1. please see http://sec.subnet.dk/texts/ms-iis4-avoid-log.txt ... oh, this also works on netscape's server (or did as of IRIX 6.5). ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 23:08:21 PDT