OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Bing (mbingnfr.net)
Date: Wed Apr 10 2002 - 19:16:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Fernando Cardoso said:
    > Most rootkits have trojanised ps's. I've seen several ones that use a
    > config file where you can define what expressions (names, PID's, etc.)
    > you want to hide. Of course you still have to deal with top, lsof,
    > netstat, etc.

    Actually it goes even deeper than that. Even when replacing the
    appropriate kernel constructs, the kernel will still might leak
    information about processes:

    http://www.sockpuppet.org/tqbf/catchps.html 

    -- 
Matt Bing
NFR Security
Rapid Response Team

    ---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities. 
Please, see: https://alerts.securityfocus.com/