UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
Sponsored Links
Latest Postings
by Gremelin
Yesterday at 06:01 PM
Latest Reviews
Topic Options
Rate This Topic
#9232 - 07/02/03 07:14 AM Regaining access to a system
Ghost Offline

Registered: 06/16/03
Posts: 807
Loc: Wisconsin
if youve gained access to a system what are some ways of getting back into the system after youve finished, keeping in mind that passwords have probably changed. Plz help
[[ GamerSupport ] [ UGN Security ] [ Evil Hosting ] [ Comic Relief ]

Sponsored Links
#9233 - 07/02/03 08:19 PM Re: Regaining access to a system
jonconley Offline
UGN Super Poster

Registered: 10/08/02
Posts: 955
Loc: Merrill, IA, USA
Installing a trojan
Using a rootkit or creating a backdoor yourself
Creating another account on the system for you to use, so when hacked account is changed, you still have access

#9234 - 07/03/03 05:27 AM Re: Regaining access to a system
Cyber_Junkie Offline
Junior Member

Registered: 07/03/03
Posts: 4
How do you get into a system?


#9235 - 07/03/03 06:43 AM Re: Regaining access to a system
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
con'ing employees to give you passwords
con'ing employees to install trojans
getting local access to the system and grabbing password files and crack them
exploiting bugs in server software to give you access remotely
brute forcing existing password authentication setups
Domain Registration, Hosting, Management

#9236 - 07/03/03 10:50 AM Re: Regaining access to a system
Ghost Offline

Registered: 06/16/03
Posts: 807
Loc: Wisconsin
Thanks johnconely
[[ GamerSupport ] [ UGN Security ] [ Evil Hosting ] [ Comic Relief ]

#9237 - 07/04/03 08:09 PM Re: Regaining access to a system
vendicate Offline
Junior Member

Registered: 11/22/02
Posts: 43
This is an article that explains everything about rootkits, its from the website

Understanding Rootkits
by Oktay Altunergil, 12/14/2001

A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access. A rootkit generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. Although the intruders still need to break into a victim system before they can install their rootkits, the ease-of-use and the amount of destruction they cause make rootkits a big threat for system administrators.

The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access daemon, such as a modified version of telnetd or sshd. These will often run on a different port than the one that these daemons listen on by default.

Most rootkits also come with modified system binaries that replace the existing ones on the target system. At a minimum, core binaries such as ps, w, who, netstat, ls, find, and other binaries that can be used in monitoring server activity, are replaced so intruders and the processes they run are invisible to an unsuspecting system administrator.

Because most rootkits will mimic the creation dates and file sizes of the original system binaries while replacing them with infected versions, keeping records of these file statistics is not sufficient. Thus, the best way to make an inventory of system file information that can be used to identify suspicious activities on the server is to calculate the cryptographic checksums of these files and store this information in a safe location, such as on a CD.

Third-party tools such as Tripwire or AIDE make this process much easier and more robust by automating the calculation of these file signatures.

Here's a quick explanation of Tripwire from the organization's web site:

"Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc."

Obviously this process has to be repeated as you introduce more software and other files into your system. You can also use the RPM signatures on RPM-based systems such as Red Hat and SuSE to compare the current MD5 signatures of your files to those in the RPM installation database. Unfortunately, the RPM application itself and the local RPM database cannot be trusted to provide accurate information because intruders can potentially infect them too.

Some rootkits may also contain sniffer or keylogger applications that are used to gather passwords for other systems and listen to traffic for sensitive information. To do this, the rootkits set the PROMISCIOUS mode on the target machine's network interface card (NIC). In normal operation, a network interface card only listens to traffic that is specifically addressed to itself and traffic that is coming through the broadcast address that everyone listens to.

On a "non-promiscuous" network adapter, the packets that are addressed to other network interfaces are silently discarded without even looking at the actual data in them. However, when using directly connected computers or a network that uses basic, non-switching HUBs, your interface actually can listen to all traffic if it's in PROMISCIOUS mode.

If an intruder listens to this traffic on a relatively large network, the results may be catastrophic. To protect the whole network even when one of the machines is broken into, using direct cable connections and basic HUBs should be avoided. Switching-hubs and other more advanced networking equipment do not broadcast traffic to all the machines on the network, but only send it to the machine that is supposed to receive it, effectively protecting all the other machines on the network.

Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for a rootkit to include a utility to modify the system logs. In some extreme cases, rootkits disable logging all together and discard all existing logs. Usually if the intruders intend to use the server for an extended period of time as a launch base for future intrusion activity, they will only remove those portions of logs that can reveal their presence. Because the absence of log files or stopped logging activity is a sign of suspicious activity itself, only attackers who have adopted the hit-and-run style will choose to blindly discard all logs.

One method administrators can use to maintain logs about an intrusion attempt -- successful or otherwise -- is to devise a system that detects network anomalies and alerts the system administrators by sending them notification email messages and/or log files. Obviously, the network intrusion detection and periodic log-file transfer methods cannot be trusted after the intruder gains access to the machine.

Arguably the most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel on the fly -- without requiring a kernel recompilation. Although the benefits of using LKMs are universally recognized, they are also subject to abuse by intruders who use the kernel module-loading mechanism for malicious purposes. Even if you reboot a system that is infected by an LKM Trojan, the LKM process will reload it during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including Linux, Solaris, and FreeBSD


Moderator:  Infinite 
Featured Member
Registered: 09/07/15
Posts: 1
Forum Stats
2158 Members
46 Forums
41533 Topics
76708 Posts

Max Online: 1567 @ 04/25/10 02:20 AM
Top Posters
UGN Security 34695
Gremelin 7194
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
Jan Havelles, Herbert_Sherbert, codemauve, Lillysdragon1984, Brewwit
2158 Registered Users
Who's Online
1 registered (Gremelin), 261 Guests and 389 Spiders online.
Key: Admin, Global Mod, Mod
Latest News

  Get Firefox!
Get FireFox!