Journal http's Journal: Is this a brand new rootkit? 2
Brief rundown:
Drive has its partition table written 'backwards', as (and this is from memory)
partition start end size
hda2: 247 17309 80448
hda1: ..1 ..246 1998
the bios boots from hda1 (in windows) but goes to GREAT lengths to conceal that partition from every tool in windows, and give the impression that you've booted from hda2 and that's the only thing that's on the hard drive. It included, as near as I can tell, an irc client, a webserver and an ftp drop box that hides quite well from task manager. But nothing hides from a trusted GNU/Linux installation CD! Managed to tarball the contents of the secret partition for later study, but after I and my bestfriend Windows tech lost four days fucking with it, she finally said, "Nuke it from orbit, it's the only way to be sure."
She also came up with an interesting theory or two. The machine was bought (by her mother) as a demo model, and may have been a refurbished return. The original purchaser installed the root kit and returned it, to use the next unsuspecting granny's bandwidth to serve up kiddie porn. Alternately, a Staples tech or sales agent had installed it for the same reason. Yes, that truly unethical, but I mean, for $8.00 an hour, can you blame them much?
Any thoughts on this, or knowledge?
Drive has its partition table written 'backwards', as (and this is from memory)
partition start end size
hda2: 247 17309 80448
hda1:
the bios boots from hda1 (in windows) but goes to GREAT lengths to conceal that partition from every tool in windows, and give the impression that you've booted from hda2 and that's the only thing that's on the hard drive. It included, as near as I can tell, an irc client, a webserver and an ftp drop box that hides quite well from task manager. But nothing hides from a trusted GNU/Linux installation CD! Managed to tarball the contents of the secret partition for later study, but after I and my bestfriend Windows tech lost four days fucking with it, she finally said, "Nuke it from orbit, it's the only way to be sure."
She also came up with an interesting theory or two. The machine was bought (by her mother) as a demo model, and may have been a refurbished return. The original purchaser installed the root kit and returned it, to use the next unsuspecting granny's bandwidth to serve up kiddie porn. Alternately, a Staples tech or sales agent had installed it for the same reason. Yes, that truly unethical, but I mean, for $8.00 an hour, can you blame them much?
Any thoughts on this, or knowledge?
Did you do a dd (Score:2)
Re:Did you do a dd (Score:1)