Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Forensics On a Cracked Linux Server

mutterc Re:Does rtkhunter... (219 comments)

There's an interesting third approach, used by Sysinternals's (now part of MS) RootkitRevealer for Windows.

Basically, enumerate all the files on the system using the usual OS APIs. Then, scan the entire raw disk, and enumerate all the files on the system by manually interpreting the directory structures stored on-disk. Any files whose directory entries exist on-disk, but don't show up in the OS's API (with a few standard system exceptions) are being hidden from the OS API layer by a rootkit.

It's certainly theoretically possible to fool, by having your rootkit hook the APIs used to read the raw disk, and returning innocuous values, but that's a good bit harder to do than the other stuff rootkits usually do. Some rootkits fooled it by not hiding their files if the process trying to look them up was named RootkitRevealer.exe, so the tool took to making a randomly-named copy of itself and executing that.

more than 6 years ago

Submissions

mutterc hasn't submitted any stories.

Journals

mutterc has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...