User Tools

Site Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
mission:log:2015:03:28:digital-exorcism [2015-03-28 12:48] chronomission:log:2015:03:28:digital-exorcism [2015-03-28 17:46] (current) chrono
Line 17: Line 17:
 After verifying that the traffic really was outgoing, it was time to find out what is causing this amount of traffic. In the old days, exorcism was a bit more of a good show I think, today, it's just a couple of people sharing the same tmux session, listening to their favorite kind of music and hacking away with a couple of tcpdumps, iftops, netstats and some other shell mumbo-jumbo. rkhunter didn't identify any rootkits. The daemon concealment seemed done like a crude quick-hack. If I'd have to hide something in a system, I'd definitely make it much harder for someone to track.  After verifying that the traffic really was outgoing, it was time to find out what is causing this amount of traffic. In the old days, exorcism was a bit more of a good show I think, today, it's just a couple of people sharing the same tmux session, listening to their favorite kind of music and hacking away with a couple of tcpdumps, iftops, netstats and some other shell mumbo-jumbo. rkhunter didn't identify any rootkits. The daemon concealment seemed done like a crude quick-hack. If I'd have to hide something in a system, I'd definitely make it much harder for someone to track. 
  
-At the time two daemons of the kit were running: /.sshd and /http. sshd was located at /usr/sbin/.sshd and http at /etc/http. Both put some sort of pidfile into /tmp/$foo.lod, by which we were able to identify the running processes in the first place. It also seems to carry replacements for lsof,netstat,ps and ss, each one seems to be a unique binary. With the the exception of bsd-port/jave, the rest of the identified files are basically just copies of the same with a different name and come with this file signature, which already stood out on a more or less up to date 64-bit machine.+At the time two daemons of the kit were running: /.sshd and /http. sshd was located at /usr/sbin/.sshd and http at /etc/http. Both put some sort of pidfile into /tmp/$foo.lod, by which we were able to identify the running processes in the first place. It also seems to carry replacements for lsof,netstat,ps and ss, each one seems to be a unique binary. With the exception of bsd-port/jave, the rest of the identified files are basically just copies of the same with a different name and come with this file signature, which already stood out on a more or less up to date 64-bit machine.
  
 <code> <code>
Line 44: Line 44:
  
  
-{{tag>trojan ddos security virus linux}}+{{tag>trojan ddos security virus linux research ops}}
  
-{{keywords>Apollo-NG apollo next generation hackerspace hacker space research development makerspace fablab diy community open-resource open resource mobile hackbus hackbase trojan ddos security virus linux}}+{{keywords>Apollo-NG apollo next generation hackerspace hacker space research development makerspace fablab diy community open-resource open resource mobile hackbus hackbase trojan ddos security virus linux research ops}}
  
 ~~DISCUSSION~~ ~~DISCUSSION~~
Trace:

Page Tools