[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: strings in backdoor binaries

To: "Meritt, Jim" <Jim.Meritt@wang.com>
Subject: Re: IDS: strings in backdoor binaries
From: Anton Chuvakin <achuvaki@ic.sunysb.edu>
Date: Fri, 28 Apr 2000 10:22:30 -0400
Cc: ids@uow.edu.au

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Hi all!

>When an intruder has penetrated a system and installed trojan binaries, when
>a "strings" command is executed what text strings will appear in trojaned
>files (aside from "letmein" or "satori", or course) that will (probably) not
>show up in a non-trajaned binary? 
I recently analyzed some files left by the attacker (who was using
somthing similar to lrk4 rootkit, but not quite). In some binaries having
"/bin/sh" or just "sh" is definitely inappropriate (like, regular Linux
"in.fingerd" doesn't contain it and the trojaned did).

Regards,
-- 
         Anton A. Chuvakin
>> Where is a will there is a way. <<
     http://www.chuvakin.org
          licq: 29034084

Prev by Date: Re: IDS: RE: Scanning on tcp port 27374
Next by Date: Re: IDS: strings in backdoor binaries
Prev by thread: IDS: strings in backdoor binaries
Next by thread: Re: IDS: strings in backdoor binaries
Index(es):
- Date
- Thread