|
| |
| | Root kit - Wikipedia, the free encyclopedia |
 | | Root kits are suites of programs which modify many of the tools and libraries upon which all programs on the system depend. | | | The key distinction between a computer virus and a root kit relates to propagation. | | | As with computer viruses the detection and elimination of root kits will be an ongoing struggle between the creators of the tools on both sides of this conflict. |
|
http://en.wikipedia.org/wiki/Rootkit
|
|
| |
| | Windows Root Kits a Stealthy Threat |
| | In contrast, a root kit hooks itself into the operating system's Application Program Interface (API), where it intercepts the system calls that other programs use to perform basic functions, like accessing files on the computer's hard drive. | | | Despite their increasingly sophisticated design, the current crop of Windows root kits are generally not completely undetectable, and Slanret is no exception. | | | Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. |
|
http://www.securityfocus.com/news/2879
|
|
| |
| | [No title] |
| | Since the original root kits for Sun systems addressed SunOS 4.x (Berkeley style Unix) commands, and SunOS 5.x is System V Release 4 based Unix, the contents of various publically available root kits are likewise confused as to which programs are to be replaced. | | | These trojan horse programs were bundled together in the form of "Root Kits", the original written for Sun's Berkeley flavor of Unix (SunOS 4) and later for Linux. | | | Title: "Root Kits" and hiding files/directories/processes after a break-in $Revision: 1.5 $ $Date: 2002/01/05 00:58:14 $ $Author: dittrich $ Question: Someone reported my computer was involved in a security incident, but I can't see anything wrong. |
|
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
|
|
| |
| | How to Convert HBOOK files to ROOT |
| | With ROOT version 0.90, you can generate this skeleton function by executing the macro MakeCode. | | | The ROOT distribution kit includes a program called h2root that you can use to convert your HBOOK/PAW histograms or ntuples files into ROOT files. | | | This program converts HBOOK histograms into ROOT objects of the class TH1F. |
|
http://root.cern.ch/root/HowtoConvert.html
|
|
| |
| | LWN: Debian Investigation Report |
| | The analysts also discovered the executable file which was used to gain root access on the machines, which was protected and obfuscated with Burneye. | | | It is fixed in Linux 2.4.23 which was released last weekend and in the Debian advisory DSA 403. | | | The attacker then retrieved the source code through HTTP for an (at that time) unknown local kernel exploit and gained root permissions via this exploit. |
|
http://lwn.net/Articles/60924
|
|
| |
| | [No title] |
| | This technique is essential and provide a base of trusted utilities when analyzing files on a system that is being compromised with a root kit. | | | This is interesting and keep it in mind because that might indicate that the root kit was not installed successfully. | | | Since we are analyzing a backed-up bit "dd" image of the compromised root partition on a separate analysis system, this step is not required but recommended. |
|
http://project.honeynet.org/scans/scan15/som/som31.txt
|
|
| |
| | Root Kit - Definition |
| | A dictionary of computer and technology terms explained in an easy to understand manner. | | | Bleeping Computer -> The Computer Glossary -> Definition of Root Kit |
|
http://www.bleepingcomputer.com/glossary/definition294.html
|
|
| |
| | LWN: A new Adore root kit |
| | The Adore version performs like the one it replaces, except that it hides any files owned by a specific user and group ID. If you are a Black Hat trying to keep installed files out of the eye of the system administrator, this is the way to do it. | | | It's why the best reaction to this type of threat is to make it harder to "obtain root," by making "root" far less pervasive in a system. | | | A list of allowed modules won't help much if a user has root privileges. |
|
http://lwn.net/Articles/75990
|
|
| |
| | ROOT Tutorials |
| | Extending ROOT with Shared Libraries and an Example of Object I/O | | | Copying a subset of a Tree to a new file (macro) | | | Reading all events of a ROOT Tree (macro) |
|
http://root.cern.ch/root/Tutorials.html
|
|
| |
| | rkdet - rootkit detector for Linux |
| | A prebuilt package of programs to do this is known as a "rootkit". | | | It is recommended that users rebuild rkdet from source after customizing the messages etc. The binary here sends mail to "root" (you do forward root to a human, don't you ??); it is suggested that at least the binary be renamed (and init.d/rkdet renamed/edited) | | | A number of exploits are available to gain root from a regular account using suid programs such as mount, cron, or game programs. |
|
http://www.vancouver-webpages.com/rkdet
|
|
| |
| | lf263, SystemAdministration: Root-kits and integrity |
| | We consider he has all the permissions (administrator, root...) on this machine. | | | Now, we discover they are useless if they call functions from the jeopardized system. | | | It is obvious that every program part of the emergency kit must be statically compiled. |
|
http://www.linuxfocus.org/English/November2002/article263.shtml
|
|
| |
| | The Penguin Sleuth Kit |
| | Also note that I have included a first responders guide to previewing a computer using KNOPPIX which can be used with the Penguin Sleuth Kit. | | | For live previews this is ok but for advanced users some of the tools, even the graphical ones, require that you run them as root. | | | Need external storage to run properly - foremost.sourceforge.net |
|
http://www.linux-forensics.com/forensics/pensleuth.html
|
|
| |
| | Steel White Table - Root Kit Detection Utility |
| | There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. | | | Note that it doesn’t clean anything it finds, it simply reports it; so, this is useless for most PC users unless they have some knowledge about Window’s innards. | | | Steel White Table - Root Kit Detection Utility |
|
http://steelwhitetable.org/blog/archives/2005/02/23/root-kit-detection-utility
|
|
| |
| | NYU > ITS > SECURITY NEWS |
| | The Jabber Software Foundation, provider of open source instant messaging software, has advised developers to validate their code after discovering that a breach of one of its servers was more serious than previously thought. | | | Jabber has locked down the machine for a full rebuild, and Jabber executive director Peter Saint-Andre says the website will return to normal operation after the risk has been addressed. | | | While it appears the root kit has not caused much damage, Jabber advises developers to validate their code as a precaution. |
|
http://www.nyu.edu/its/security/news/archives/000373.html
|
|
| |
| | broadband » Security 1. General Questions |
| | If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. | | | If you can't find the virus in the correct encyclopedia, scan click here to scan with a different scanner and then try that scanner's encyclopedia. | | | The words to look for in the description of the virus, worm or trojan are "root kit", "backdoor", "allows arbitrary code to be executed", or "remote access trojan". |
|
http://www.dslreports.com/faq/10063
|
|
| |
| | SANS Institutei: Analysis of the T0rn rootkit |
| | Also, just as a side note that the file size is one byte off from being eleet. | | | -r-xr-xr-x 1 root root 61244 Sept 26 1999 If t0rn is installed the user would see the following: -r-xr-xr-x 1 root root 31336 Sept 26 1999 | | | Normally, if you were to run ls-la on /bin/ps (Red Hat 6.1) you would have the following output: |
|
http://www.sans.org/y2k/t0rn.htm
|
|
| |
| | BigUnix |
| | Your computer can now be used by someone else, for almost whatever else. | | | If the virus is sophisticated, you would not even notice. | | | Here is a Google Groups Link to a post by a poor soul who somehow got infected with such a root kit. |
|
http://bigunix.com/2004/06/21/virus.html
|
|
| |
| | HTML FIX IT.COM: Cool Web Search becomes “Cool Root kit". |
| | Put simply, they use Kernel level functions to hide themselves on users systems. | | | For details and removal instructions, click the virus in question. | | | According to Eweek, that’s about to change as common spyware programs use root kit like techniques to hide from detection and make removal more difficult. |
|
http://htmlfixit.com/?p=714
|
|
| |
| | Anatomy of a Root-Kit Hack |
| | Root kits are widely known in the Unix and Linux community, but they are a fairly new problem in the Windows operating system world. | | | The user-level root kit that felled the IT executive's servers was tailored for French language use, and that's how it evaded detection by a widely deployed anti-virus tool used at the exec's company. | | | The machines had been infected by a user-level root kit. |
|
http://www.eweek.com/article2/0,1759,1776615,00.asp
|
|
| |
| | cola@nllgg.nl archief: Root kit detection: checkps 1.3-pre1 release |
| | Pure software root kits show up like sure thumbs as far as the program is concerned. | | | You know what will blend into the abckgorund on your system (the default is httpd with no argumnets_/ The current version with kill scnaning enbaled should detect all current linux root kits, even the module one I am aware of. | | | IF so then checkps could eb for you... |
|
http://mail.nllgg.nl/cola/2000-10/63.html
|
|
| |
| | Back door or root kit? Maybe Netstat can help - Computerworld |
| | One of the most worrisome aspects of computer intrusions is that hackers generally prefer to avoid fame and try to hide their presence on compromised systems. | | | Once you've discovered that a computer has been infected by a root kit or backdoor Trojan, you should immediately disconnect any compromised systems from the Internet and/or company network by removing all network cables, modem connections and wireless network interfaces. | | | While there are numerous intrusion-detection products available to aid in identifying back doors and root kits, the Netstat command (available under Unix, Linux and Windows) is a handy built-in tool that systems administrators can use to quickly check for backdoor activity. |
|
http://www.computerworld.com/printthis/2003/0,4814,1785-80817,00.html
|
|
| |
| | 2004_06_13.html rootkit, root kit |
| | A really good root kit would of course consider what these sorts of programs would be looking for and cover itself appropriately, but there are practical limits to how complicated anyone would make this. | | | For example, one "popular" root kit forgot to modify "lsof" and can be detected through that: | | | There are root kit "sniffers" that attempt to find signs that such compromises have occured, and daemons that attempt to watch for someone instaling such a kit. |
|
http://aplawrence.com/Words/2004_06_13.html
|
|
| |
| | Cracker: Tutte le informazioni su Cracker su Encyclopedia.it |
| | Queste operazioni vengono spesso automatizzate e riassunte tramite dei software chiamati root kit. | | | Alcune operazioni che solamente root può fare sono ad esempio: lo sniffing dei dati in transito su un'interfaccia di rete (solitamente password) e l'utilizzo di software in grado di agire a livello di rete molto basso. | | | Essere superutente (ovvero root) si rivela essenziale per i cracker che hanno intenzione di nascondere le tracce del proprio passaggio e fare il bello e il cattivo tempo sulla macchina compromessa. |
|
http://www.encyclopedia.it/c/cr/cracker.html
|
|
| |
| | Microsuck Forums - Question about Unix OS |
| | If a Windows user is a little uneasy about switching you should do them a favor and get them one of the many Linux Live that run straight from a CD. | | | Even so, a Unix box with a root kit installed is still more stable than a non-compromised Windows box with uptimes sometimes in the years. | | | You can't tell the kit is there, and you can't tell how many machines a hacker has propegated the kit to. |
|
http://www.fuckmicrosoft.com/forums/archive/index.php/t-2923.html
|
|
| |
| | Root Beer Kit Science Toys Science Kits and Toys |
| | With this amazing kit, you'll learn how your eyes and brain work together to create the images you see. | | | Home > Science Kits and Toys > Science Toys | | | Root Beer Kit Science Toys Science Kits and Toys |
|
http://www.stevespanglerscience.com/product/1554
|
|
| |
| | AntiOnline - how to check for a root kit |
| | Interesting point, if you dont know what a root kit is, why are you being tasked to check for it? | | | A root kit installs a back door on your system, and modifies some of the programs, so that when you log in on the backdoor, you are completely undected (who doesn't work, no logs, etc etc.) To install one, someone has to take over root. |
|
http://www.antionline.com/printthread.php?threadid=230844
|
|
| |
| | Shadow Walker Root Kit Eats Anti-Virus for Breakfast Threadwatch.org |
| | Welcome to Threadwatch, a community website focused on Internet marketing and related technologies. | | | The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. | | | A revolutionary stealth root kit dubbed "Shadow Walker" that was demonstrated at the BLACK HAT security conference in Vegas this week, can waltz right in to you PC under the noses of even the most sophisticated anti-virus software. |
|
http://www.threadwatch.org/node/3314
|
|
| |
| | ETA/Cuisenaire: Reading Rods Prefixes, Suffixes, & Root Words Kit |
| | Form more complex words by combining prefixes and suffixes with Greek/Latin roots | | | Soon they are building antonyms and other words using English base words paired with common prefixes and suffixes. | | | As they advance, students will form more complicated words, combining prefixes and suffixes with root words that have Greek and Latin origins. |
|
http://www.etacuisenaire.com/readingrods/prefixes.jsp
|
|
| |
| | HNS - Root kit surfaces after Jabber attack |
| | The Jabber Software Foundation (JSF) - the open source instant messaging organisation - has advised developers to check their code, after discovering that a hack attack against its website was more serious than first suspected. | | | Subsequent investigations revealed the machine (hades.jabber.org) had been compromised for more than a year. | | | An audit conducted on JSF's web servers after an intrusion two weeks ago revealed a root kit on a machine hosting both the jabber.org website and the JabberStudio service. |
|
http://www.net-security.org/news.php?id=7071
|
|
| |
| | Rage3D Discussion Area - Root kits? |
| | Root kits are very often used as stepping stones for hacking other computers. | | | They're basically compiled "kits" for gaining root and maintaining it on unix systems without alerting the systems owner. | | | There are serveral root kit scanners, and tripwire is a very nice program to run that can detect/avoid root kit install attempts |
|
http://www.rage3d.com/board/printthread.php?t=33798311
|
|
| |
| | RootkitRevealer turns root kits tactics back at them |
| | Editor's Summary: "Root kit" is a catch-all term used to describe the mechanism or mechanisms by which any form of malware (including a virus, spyware or Trojan) hides its presence from both the system at large and from programs that attempt to detect and remove it. | | | One new tool that helps you fight root kits is RootkitRevealer from Sysinternals, a Web site that provides utilities and source code related to Windows NT/2000/XP/2K3 and Windows 9x, Windows Me internals. | | | Root kits come in several different flavors, each of which conceals itself from the system in a slightly different way, making it all the more difficult to flush them out and destroy them. |
|
http://searchwebservices.techtarget.com/newsItem/0,289139,sid14_gci1069237,00.html
|
|
| |
| | Nuclear Elephant: Creating Root-Kit Proof Saferooms |
| | A root-kit is a package hackers use to manipulate the machine they've hacked to make it more difficult for a systems administrator to detect that the system has been compromised. | | | Root kits commonly also include tools creating back-doors to allow hackers back into a system they've hacked. | | | If you are successful in creating a saferoom that cannot be written to, even as root, you still have to take into concern the ability of a hacker to go and change your path or dismount the room altogether. |
|
http://www.nuclearelephant.com/papers/saferoom.html
|
|
| |
| | PCTechTalk - What's Your Issue? :: News : Windows NT Root Kit Revealer |
| | In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. | | | It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that | | | RootkitRevealer is an advanced root kit detection utility. |
|
http://www.pctechtalk.com/?m=show&id=4142
|
|
| |
| | Root Beer Flavor |
| | But what if you don't have a kegging system? | | | (Hint: The ability to make great homemade root beer is sometimes a good way to help justify the expense of a kegging system to the rest of the family!) We now have a solution! | | | Our root beer flavors come with complete instructions and they're very easy to make. |
|
http://www.hoptech.com/rootbeer.html
|
|
| |
| | Anti Spyware |
| | Rootkit Revealer is a root kit detection utility that runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. | | | Rootkits try to keep malwares hidden form anti-spyware (and antivirus-) scanners. |
|
http://www.nondisputandum.com/html/anti_spyware.html
|
|
| |
| | Howstuffworks "What is root beer?" |
| | In the case of root beer, the flavoring comes from the root of the sassafras tree or the sarsaparilla vine. | | | For example, the word "cabinet" can mean "storage space in your kitchen" or "a group of folks who advise the president." Beer is a word with two meanings. | | | Originally, the root was brewed like a tea to make an extract, but now it is much easier to buy the extract ready-made. |
|
http://www.howstuffworks.com/question137.htm
|
|
| |
| | [CLUE-Tech] root kit checker |
| | I ran chkrootkit version 0.43 after stopping it, and it didn't detect any other kits - I was running a manually compiled 1.3.27 version of apache on a RH9 box, so I was asking for it. | | | I'll recompile a new version of apache and blow away the old one for now. |
|
http://clue.denver.co.us/pipermail/clue-tech/2004-May/009990.html
|
|
| |
| | Locator Root Kits |
| | Locator Root Analog (8516) if dental laboratory is processing the Locator Denture Cap Male into the denture. | | | This design of the pivoting LOCATOR Male allows a resilient connection for the overdenture without any resulting loss of retention. |
|
http://www.preat.com/locrootkit.htm
|
|
| |
| | Grmtech > Root Kit |
| | Hence I propose that if a server has been rooted it is better to identify what has gone wrong and fix it. | | | This thinking can lead to not having the policies in place to identify if a server has been rooted. | | | The traditional wisdom if you server has been "rooted" is to reinstall the server, but this presents a catch 22 situation. |
|
http://www.grmtech.com/rootkit.html
|
|
| |
| | Larry Osterman's WebLog : June 2004 - Posts |
| | Apparently the root cause of the problem is that IE is following the Authority Information Access 48.2 OID (1.3.6.1.5.5.7.48.2) to find the parent of the certificate, while Mozilla isn’t. | | | It could have been a rootkit that would use my machine as a doorway for hackers to gain access to the Microsoft corporate network. | | | And once you’re rooted, there is NO way of knowing that you’re rooted – A good root kit covers its tracks so that it is essentially undetectable. |
|
http://blogs.msdn.com/larryosterman/archive/2004/06.aspx
|
|
| |
| | Simple and interesting solution for hidden root kit files |
| | Microsoft Research has a short paper on using hackers' tricks against them, including using differential file system scans (using WinDiff) from infected vs. clean OS boots to detect hidden files [via G. | | | Simple and interesting solution for hidden root kit files | | | # Simple and interesting solution for hidden root kits |
|
http://geekswithblogs.net/ssimakov/archive/2004/08/10/9531.aspx
|
|
| |
| | The Brew Your Own Root Beer Kit - SHOP.COM |
| | Sign up for a Free issue Full Of Project, Design Tips and Ideas. | | | There is absolutely nothing like a refreshing gulp of home-brewed root beer. | | | All other designated trademarks, copyrights and brands are the property of their respective owners. |
|
http://www.shop.com/amos/cc/main/searchxs1/ccsyn/260/prd/14237180/adtg/10250441
|
|
| |
| | Windows 2000 Root Kit Analysis |
| | However, the complexity of the kit itself and its potential to reinsert parts of itself make it difficult to deal with until it is understood. | | | The hacking tools present in the kit suggest the intended use for this kit is not just to run an IRC bot, but also to allow remote control of and subsequent hacking using a compromised box. |
|
http://users.ece.gatech.edu/~owen/Research/HoneyNet/Quarterly/Analysis_of_Windows_2000_root-kit.htm
|
|
|
