dcsimg
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24
  1. #11
    Banned
    Join Date
    May 2005
    Posts
    173
    If you had four bots watching over other botnets, two or three wordlisting shares, a couple more mass expoiting vulnerable software, and even more doing whatever number of things... randomly someone or another bot will drop in to check on things, rarely issue a command, and disconnect maybe 3 to 10 seconds after showing up. Honestly would you give a ****? I wouldn't and if something goes wrong its not like you'll ever know about it.

    Public computers pfffft... say what? How about rather than some childish fantasy of sneaking around an office or whatever... has anyone ever actually taken the time to think about how well live-CDs would hold up agianst forensics?

    Seriously man... come on now.

  2. #12
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    has anyone ever actually taken the time to think about how well live-CDs would hold up agianst forensics?
    Actually yes, I have. I've also thought about other uses of live CDs such as how very effective they would be against bot infections.

    The hax0rs seen in these examples were not pros. IF they were, you'd never have the amount of data left behind. These dudes are quantity bandits. They're not concerned with getting caught and they're not concerned if you find traces of activity. For every person who finds their footprints, 100 more will not. The main goal of present day crooks is to spread as much junk as quickly as possible.

    Gore, how did they get initially grab the web account? Please don't tell me that someone setup apache with an account that had priviledges to login via ssh or telnet.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #13
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    What a bunch of jackasses, Horsey's right these guys are goons. First off, if he had root he should've installed a decent rootkit to hide his ****. Second of all, he left the bash history like a clown, and to top it off, he reboots the machine. Why? All he changed was the sshd, and he restarted that already. then he backs up the real sshd in a java directory the guy didnt have before.. (Shoulda cleaned that from the logs aa well, along with sshd restart and set the modified date back)

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  4. #14
    Banned
    Join Date
    May 2005
    Posts
    173
    he reboots the machine. Why? All he changed was the sshd, and he restarted that already. then he backs up the real sshd in a java directory the guy didnt have before.. (Shoulda cleaned that from the logs aa well, along with sshd restart and set the modified date back)
    There is a reason why you shouldn't turn off a compromised computer. You have to figuer that most signs of an actual intrusion VIA: buffer overflow, the first set of changes will all happen in-memory. Plus the idea is that if a user just ignores it then it gives some insight into what type of people are on the other end. But yeah... none of that was needed at all and considering how few machines this thing would actually pwn... Hummm.

  5. #15
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    A mem dump should already be part of the standard remediation process. If it's not, then the bad guy already wins due to bad procedures.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #16
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    How did they su to root if root had a decent password according to john. and how did they run john on /etc/shadow if they weren't root?

  7. #17
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    On windows servers its considered poor practice to leave ftp.exe and tftp.exe on the machine. Now not being a *nix admin by trade I could be wrong but isnt the same true for leaving wget installed on a server?
    Bukhari:V3B48N826 The Prophet said, Isnt the witness of a woman equal to half of that of a man? The women said, Yes. He said, This is because of the deficiency of a womans mind.

  8. #18
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Believe it or not, there are a LOT of package management utilities and application upgrade utilities that use wget to get components they need.
    /* You are not expected to understand this. */

  9. #19
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Of course you could block anything you feel would expose you to too much vulnerability, but remember that security is a balance of protection and convenience. I could block all incoming/outgoing TCP/UDP packets, but that's not very convenient. Wget is a useful tool to have on a pty where you may not have access to the X server, and need to get something from the network.

    Then again, it also depends on the security model/level of the server in question, it's misison, etc. I probably wouldn't want a copy of wget on some FBI database, but it might be extremely handy to have on a web host for several local user websites running their own scripts, etc.
    /* You are not expected to understand this. */

  10. #20
    Banned
    Join Date
    May 2003
    Posts
    1,004
    On windows servers its considered poor practice to leave ftp.exe and tftp.exe on the machine.
    I always considered the removal of such tools a waste of effort for essentially no gain and potentially needless inconvenience. The NSA, NCSC, NIST, Trusted Systems Inc, and Microsoft all agree with this as it amounts to little more than an annoyance for inept attackers AFTER they have compromised the system.

    It is unfortunate that this idea of security is so prevelant, yet I bet these ftp.exe-less systems don't have CAF enabled, haven't restricted the administrator and system accounts from modifying the logs, and haven't revoked administrator's ability to take ownership of files or modify the security policy. All of which would be dramatic improvements and would move the system from a first generation to a second generation system per the OASIS definitons.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •