[plug] TCP connections refused [rootkit]
Derek Fountain
derekfountain at yahoo.co.uk
Mon May 5 19:18:30 WST 2003
> > > If the hard drive
> > > is mounted on another Linux machine as the non primary disk, nothing
> > > can be read from it, fsck checks out fine on 5 pass runs, but the data
> > > can only be seen if the drive is booted on its own accord.
> >
> > Anyone know how it does that trick?
>
> I should be more specific. It mounts, then anything you do to it produces
> pages and pages of directory sync errors IIRC. I'll fire it up again
> tomorrow if I can and tell you exactly what it does. You can sometimes get
> a directory listing, but cannot access any files.
>
> Are you querying because you have seen the same thing and are curious, or
> because you believe that I didn't do anything else wrong and it really was
> making the data inaccessibe and simply wanted to know how? :)
The latter. I've never seen such a thing, and was curious as to how it could
work. The disk is obviously in a controlled corrupted state, which can be
worked around by, presumably, a program of some sort which the rootkit
installs and runs. I just wondered how such a thing could be achieved without
adding a layer of code into the filesystem part of the kernel.
--
"...our desktop is falling behind stability-wise and feature wise to KDE
...when I went to Mexico in December to the facility where we launched gnome,
they had all switched to KDE3." - Miguel de Icaza, March 2003
More information about the plug
mailing list