[815] in Intrusion Detection Systems
Re: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Diane Davidowicz)
Tue Dec 17 05:31:08 1996
Date: Wed, 11 Dec 96 11:10:33 EST
From: Diane Davidowicz <diane_d@sun1.wwb.noaa.gov>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
>
> > Wrong. The intruders with a clue know what to look for and remove themselves
> > promptly. Nothing is sacred on a system once it has intruders.
>
> While the intruder may not know it, the attack kit and the root kit he/she
> uses usually will know where to look and what to doctor. Unfortunately, this
> allows a lot of people who otherwise would not have had the technical skill
> to breakin to do just that. Fortunately, like in any eco-system this create
> a lot of low-skilled attackers that are easy to track.
>
There are a lot more tools available than just what the rootkit has to offer
and they have been around a lot longer. Although I admit to seeing more use
of the rootkit tools than any other, there are still others that are floating
around and are in use.
Whether the intruder knows what exactly a tool modifies or not is a mute
point. The technology to change these files has always been there for the
taking. And all the intruders love to trade their warez, so its just a matter
of time before any such a tool is well distributed.
A good example of this is rootkit. 2 years or so ago it was hard to come by,
traded only amongst the elite. During the past year, I have lost track of how
many times I have just happened to come across it on anonymous ftp servers.
Diane
