Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IIS web server hacked..any tips?

from [Valdis . Kletnieks] Network Security [Permanent Link]
Subject: Re: IIS web server hacked..any tips?
Date: Fri, 17 Dec 2004 13:32:59 -0500 
On Thu, 16 Dec 2004 17:47:51 PST, David LeBlanc said:


So you'd set the switch, boot the system, wait until you want to
snapshot it, and then use the debugger to look at anything in memory you
like. Windbg will do this, and I think SoftIce does, too. The owned
system is defenseless against an external kernel debugger.


Well.. that's not *really* a totally external debugger.  For starters, you're
assuming the system is cooperating enough to *start* the debugger, and to keep
talking to it.  There's no good way to *force* (on the *hardware* level) the
system to cooperate across that serial cable.  A *sufficiently* 0wned box can
simply ignore that port - it's just that no rootkits so far have bothered to
protect against it.  (Think about it - if it's a boot.ini flag, all I have to
do is add a rootkit part that says "ignore that boot.ini flag" and the debugger
is useless....)

The ieee1394/iPod trick is different in that the external 1394 device literally
*CAN* force itself into the system on the hardware level and do DMA to suck out
all the RAM contents, totally without any cooperation from the system.

Attachment: pgpgyCUvNRFe0.pgp
Description: PGP signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Strange command histories in hacked shell server, Valdis . Kletnieks
Next by Date:  Re: PHP injection attempt from 200.222.244.154, James Eaton-Lee
Previous by Thread:  RE: IIS web server hacked..any tips?, David LeBlanc
Next by Thread:  Strange command histories in hacked shell server, Ganbold
Indexes:  [Date] [Thread] [Top] [All Lists]