now there you go Harlan, this is what our community needs. Since you located the lead source, did the research you went ahead and combined it all into one place in your blog and saved me and others a lot of time and tail chasing.
Maybe one of those innovations would be, groups of like minded folks used blogs to do just what you did for problems they have located, researched and documented. Then when we run up on an issue we could check each others blogs before heading down our own time eating path.
Great Job! Thanks
Guess I should have been more clear. We all could have read the Secureteam blog and got the technical details direct. But you added the Registry info, and other tidbits that weren't there.
I really see this going further IF you had actually worked a case involving this you could have had a blog about what worked what didn't. Sort of a mini casebook without any confidential info in it. There is a lot of behind the scenes research and technical stuff we can share without violating our Conf. Agreements
Bill
> I really see this going further
True. I've worked cases with previous versions of HaxDoor, but not this one. In those cases, I've started by sorting the service Registry keys in the ControlSet00x that was marked current. From there, I was easily able to locate the service and driver that had been added, based on the LastWrite times of the keys. The driver was called 'rdriv.sys'.
I don;t have fully formed thoughts on this, but I am sure I have docs in my work product that if put together could save someone a lot of effort in recreating the wheel. Not just a bunch of links to theoretical info or academic papers or technical notes, but a collection of real world methods and tools that worked for a compromise.
I also haven't had that 43rd cup of coffee to let me think any firther than taht yet
I've got another intrusion case on the way, and although there's no indication of a rootkit, there might be something along those lines. It's a pretty frequent occurance that a client will push for what they think is/was the issue, and in many of those cases, it's unknowing redirection…
What kinds of things were you thinking about?
Is there a reference? Can I just google KeyDet Blog, Haxdoor?
And have you ever come across the 'Q' (1.x or 2.x) backdoor?
Where backdoors like 'Q' (no real Haxdoor experience here) become a matter of interest is when you don't know there is a problem and/or don't have physical access to the system.
Determining what backdoor is running, and where, and to what end, Over the network has always been of interest to me.
Have a nice day,
Skip
Is there a reference? Can I just google KeyDet Blog, Haxdoor?
Have a nice day,
Skip
Well! Yes, yes I can.
Skip
Harlan;
My basic idea is that blogs are especially useful because they are chronological. Repositories need maintenance to keep out of date tools deleted, and updates added etc. A blog would point folks to the latest tools and info relative IR situations they may be facing today. I think this lends itself well to IR becasue of constant changing nature of threats.
Same idea works for CF, maybe not as critical especially since most CFers seem to be using canne dtools that would require updates to be added by MFG.
However; for tools like open source or those like ProDisc that have scripting languaue support this could be critical as well as a way to find things you need TODAY.
Thats my flesh out, now help me fill it out <G>
I've already started with that…I have my blog, I've posted code to SF, as well as to the ProDiscover forums.
right now, the biggest problem is community support. See all the comments on my blog? Exactly. The thing is, I can guarantee you that if someone has a question, then (a) someone else has the same question, and (b) someone has an answer.
The problem lies in the fact that if you're afraid to ask, then I can't help you…it's as simple as that. I've received some good questions, and I troll lists looking for questions that I can put a spin on, and turn into a blog post.
If you have something specific I can do to help, let me know.
I'm gonna noodle this some. You are right about the lack of community response and the reluctance to both ask and answer questions. Some of that may be people are afraid of competetion.
But, if there are two of us that would like to see this development of communty there may be others. We just gotta find them and get them involved.
I'm gonna get my blog going again and start posting situations and ideas. Maybe we won't stomp the exact same ground and we can get some action.