Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strings in backdoor binaries

From: achuvaki () ic sunysb edu (Anton Chuvakin)
Date: Fri, 28 Apr 2000 10:22:30 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Hi all!


When an intruder has penetrated a system and installed trojan binaries, when
a "strings" command is executed what text strings will appear in trojaned
files (aside from "letmein" or "satori", or course) that will (probably) not
show up in a non-trajaned binary? 

I recently analyzed some files left by the attacker (who was using
somthing similar to lrk4 rootkit, but not quite). In some binaries having
"/bin/sh" or just "sh" is definitely inappropriate (like, regular Linux
"in.fingerd" doesn't contain it and the trojaned did).

Regards,

-- 
         Anton A. Chuvakin

Where is a will there is a way. <<

     http://www.chuvakin.org
          licq: 29034084
Previous By Date Next
Previous By Thread Next

Current thread: