[703] in Intrusion Detection Systems
Re: rootkit and other bits'n'pieces.
daemon@ATHENA.MIT.EDU (Paul Danckaert)
Mon Jul 1 07:49:57 1996
Date: Wed, 26 Jun 1996 10:52:55 -0400 (EDT)
From: Paul Danckaert <pauld@umbc.edu>
To: ids@uow.edu.au
In-Reply-To: <199606252239.IAA29415@plum.cyber.com.au>
Reply-To: ids@uow.edu.au
On Wed, 26 Jun 1996, Darren Reed wrote:
> I searched around the web on the weekend and found a frightening amount
> of hack/crack programs.
>
> you can grab the stuff I found as:
>
> ftp://ftp.cyber.com.au/pub/unix/rootkit.tgz (about 900k - gzip'd - of mostly
> all source code)
> [..snip..]
>
> Things like "Alta Vista" are your friend!
>
> Was rather sad to see so much, but...
Well, I personally don't mind seeing it too much. It really comes down
to the fact that these tools are actively being distributed in "hacker"
circles, and by putting them up online they actually sort of even the
score. People trying to protect themselves have access to the tools
people would use on them, can analyze them, and try to protect themselves
accordingly.
In a way it comes down to the full disclosure argument, where people argue
if exploits for the security holes should be released. By having access
to these tools, you are able to analyze them, and not only protect
against that particular attack, but perhaps others in its class. (For
example, seeing ypx may make people more aware of rpc vulnerabilities and
protect themselves against the class of rpc-based exploitations, rather
than just changing their nis domainname..) Releasing the exploits also
gives them to a wider range of people, but considering how easy it is to
get most of these things (irc, for example) I doubt that it makes a very
big difference.
There are several archives that are heavily used in "hacker" circles, and
keep a large (and up to date) archive of tools, information, etc. One of
the nicer ones is ftp://ftp.infonexus.com/.
[ObSecurityNote]
We have seen quite an increase in web-related attacks, specifically
trying to exploit cgi's with %0a (newline) characters, trying to grab
password files, and run other commands. I would recomend grep'ing
through some of your web server logs looking for passwd, %0a, %0A, and
things like that. Just in the last few weeks these attacks have
increased to the point of several a week.
