Re: rootkit and other bits'n'pieces.

Paul Danckaert (pauld@umbc.edu)
Wed, 26 Jun 1996 10:52:55 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: IDS Moderator: "Re: rootkit and other bits'n'pieces."
Previous message: Carlos Salvador: "Windows NT 3.51"
In reply to: Darren Reed: "rootkit and other bits'n'pieces."
Next in thread: Brian Mitchell: "Re: rootkit and other bits'n'pieces."

On Wed, 26 Jun 1996, Darren Reed wrote:

> I searched around the web on the weekend and found a frightening amount
> of hack/crack programs.
> 
> you can grab the stuff I found as:
> 
> ftp://ftp.cyber.com.au/pub/unix/rootkit.tgz (about 900k - gzip'd - of mostly
> all source code)
> [..snip..]
> 
> Things like "Alta Vista" are your friend!
> 
> Was rather sad to see so much, but...

Well, I personally don't mind seeing it too much.  It really comes down 
to the fact that these tools are actively being distributed in "hacker" 
circles, and by putting them up online they actually sort of even the 
score.  People trying to protect themselves have access to the tools 
people would use on them, can analyze them, and try to protect themselves 
accordingly.  

In a way it comes down to the full disclosure argument, where people argue
if exploits for the security holes should be released.  By having access 
to these tools, you are able to analyze them, and not only protect 
against that particular attack, but perhaps others in its class.  (For 
example, seeing ypx may make people more aware of rpc vulnerabilities and 
protect themselves against the class of rpc-based exploitations, rather 
than just changing their nis domainname..)  Releasing the exploits also 
gives them to a wider range of people, but considering how easy it is to 
get most of these things (irc, for example) I doubt that it makes a very 
big difference.

There are several archives that are heavily used in "hacker" circles, and 
keep a large (and up to date) archive of tools, information, etc.  One of 
the nicer ones is ftp://ftp.infonexus.com/.  

[ObSecurityNote]

We have seen quite an increase in web-related attacks, specifically 
trying to exploit cgi's with %0a (newline) characters, trying to grab 
password files, and run other commands.  I would recomend grep'ing 
through some of your web server logs looking for passwd, %0a, %0A, and 
things like that.  Just in the last few weeks these attacks have 
increased to the point of several a week.

Next message: IDS Moderator: "Re: rootkit and other bits'n'pieces."
Previous message: Carlos Salvador: "Windows NT 3.51"
In reply to: Darren Reed: "rootkit and other bits'n'pieces."
Next in thread: Brian Mitchell: "Re: rootkit and other bits'n'pieces."