Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Write-protect sctors?

from [Walter Lamagna] Network Security [Permanent Link]
Subject: Re: Write-protect sctors?
Date: Wed, 30 Aug 2006 16:56:03 -0300 
You can use the badblocks command also.

With badblocks you can check the surface from the partition in Linux and
detect defects.
        badblocks -o bad.txt /dev/
-o creates a file with the bad blocks found.
-b with the block size as its argument, only needed if fsck can not
determine the block size.
-w should not be used, it writes the disk and destroys the information,
while it verifys the write operation



On Wed, 2006-08-30 at 15:56 +0200, Andreas Ferrari wrote:

Hi scott

Hav you checked your disk?
You can simply do that by booting from a Knoppix CD or something similar 
and the just dd the whole disk to /dev/null.
If there is a read error dd wil report it and will abort, if that 
happens its better to buy a new disk.

a simple example: dd if=/dev/xdX of=/dev/null
Note: replace xdX wiht your disk

regards

Andreas Ferrari

scott schrieb:

scott wrote:


Bill Church wrote:


It sounds very crazy. Did you ever actually identify if there was a 
rootkit installed? Did you try booting to a live CD of another 
distribution and investigating the disks from that live CD?

Remember that partitioning does modify the existing data on the disk, 
just the partition table, unless you chose to do a full format that 
data is still there. However, the chances of it actually being able 
to effect anything that's not directly referencing that data by 
executing it seems improbable. I wouldn't think that simply copying a 
file over that location couldn't spawn a process, of course nothing 
is impossible.

There is a BIOS function that is supposed to protect the boot sector, 
it's usually disabled by default on most systems. I imagine it would 
be possible for someone to modify the CMOS and protect any sectors 
they wish, but the attacker would undoubtedly need to have advanced 
knowledge of your system, BIOS, hard disk and geometry to make this 
attack possible. I highly doubt this is the case.

It sounds like you may have a defective hard disk, I would try a disk 
diagnostic first, or maybe attempt to install another OS or 
distribution.

-Bill

----- Original Message -----
From: scott Sent: Mon, 8/28/2006 11:23am
To: focus-linux@securityfocus.com
Subject: Write-protect sctors?

I had a probable rootkit in ubuntu dapper that proved to be more 
persistent than I thought possible.I did rkhunter and showed some 
anomalies in /dev/...Trying to track those dir's down proved 
elusive,even with root enabled(in ubuntu,root is disabled by 
default.You can still sudo, but no su without certain switches,)the 
dir's effectively hid from my view.
So I decided to reinstall a clean slate.This is when I encounter 
problems that don't make sense.
As the install progresses to the partitioning of the disc,I opt for 
the erase whole disc option.It progresses to a certain point and then 
quits with an error..repeatedly.
I filed a bug report with launchpad,but my question is this:Can any 
malware you are aware of write-protect certain segments of a 
HD,without BIOS support?Or is there a BIOS trojan that I'm not aware 
of in Linux?Is this even possible with a hardened system?
Is this even possible in any system,Windows included?
What I.m asking is : Can any malware write-protect sectors on a HD 
that survive repartioning?
Sounds really crazy,huh?
Thanks,Scott


It was a problem in ubiquity, in that it never resolved to a mount 
point when installing.

But my point is that I eventually got the same install cd to actually 
install.Now if something was trying to protect itself,only after many 
attempted overwrites did I succeed,that would 
seem...Almost...logical,..Maybe.!?

The hard drive is fine,as far functioning,anyway.

I also know that you have to have (presumably,)BIOS access to write- 
protect sectors of a HD.

Didn't Joanna Rutkowska demonstrate a BIOS virus,or POC,at one 
time?Not likely,or probable,that this was my problem,but could it be 
done....theoretically?Especially in a `nix environment?

I think not.But I have been wrong so many times in my life,that I like 
to think anything is possible.

If ya want to do it bad enough,at least.
Any other thoughts on this matter?
Regards,Scott


Hi again.
I also know that BIOS is ROM,not RAM.
Therefore,it seems that I would have to do a BIOS flash for this to happen?

Regards...again,and thanks,Scott




-- 
Walter Lamagna
Ten Roses Buenos Aires
+54.11.4372.2250/2949
Ext.31
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Write-protect sctors?, Andreas Ferrari
Previous by Thread:  Re: Write-protect sctors?, Andreas Ferrari
Indexes:  [Date] [Thread] [Top] [All Lists]