Intrusion Detection Systems mailing list archives

strings in backdoor binaries

From: Jim.Meritt () wang com (Meritt, Jim)
Date: Thu, 27 Apr 2000 12:57:08 -0400


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
When an intruder has penetrated a system and installed trojan binaries, when
a "strings" command is executed what text strings will appear in trojaned
files (aside from "letmein" or "satori", or course) that will (probably) not
show up in a non-trajaned binary?  I'm looking for a system (as opposed to
network) 'after-the-event' intrusion detection methodology.

_______________________
The opinions expressed above are my own.  The facts simply are and belong to
none. 
James W. Meritt, CISSP, CISA
Senior Secure Systems Engineer at Wang Government Services, Inc.

Current thread:

Re: [Fwd: [Fwd: Fwd: Emergency...Pls Forward This To Everyone You Know]], (continued)
- Re: [Fwd: [Fwd: Fwd: Emergency...Pls Forward This To Everyone You Know]] Ki.Ki.Ki...Kiran (Apr 23)
- IDS Focus Area at SecurityFocus.com Jensenne Roculan (Apr 24)
- intruder clues Meritt, Jim (Apr 24)
  - Re: intruder clues flynngn () jmu edu (Apr 24)
    - Re: intruder clues Philippe Bourgeois (Apr 25)
  - Re: intruder clues Lance Spitzner (Apr 25)
  - Scanning on tcp port 27374 Benninghoff, John (Apr 26)
    - Re: Scanning on tcp port 27374 Gary Flynn (Apr 27)
    - Re: Scanning on tcp port 27374 DPG (Apr 27)
    - Re: Part 2 Scanning on tcp port 27374 DPG (Apr 27)
    - strings in backdoor binaries Meritt, Jim (Apr 27)
    - Re: strings in backdoor binaries Anton Chuvakin (Apr 28)
    - Re: strings in backdoor binaries Gary Flynn (Apr 28)
    - Re: strings in backdoor binaries DPG (Apr 28)
    - Re: strings in backdoor binaries Jonas Eriksson (Apr 29)
    - Re: strings in backdoor binaries Jonas Eriksson (Apr 29)
    - Sniffing.... SatyaNarayana ANV (Apr 29)
    - RE: Scanning on tcp port 27374 Thomas J. Arseneault (Apr 27)
    - Re: Scanning on tcp port 27374 Talisker (Apr 27)
    - Fwd: Re: Part 2 Scanning on tcp port 27374 Lachlan Cranswick (Apr 27)
    - Re: Fwd: Re: Part 2 Scanning on tcp port 27374 DPG (Apr 28)

(Thread continues...)