unixfool |
01-25-2008 11:34 AM |
Quote:
Originally Posted by PatrickNew
(Post 3034956)
I haven't confirmed it, but I've seen it reported that you can check to see if you have it by trying to create a directory starting with a numeral. If you have it, the rootkit won't let you.
|
I believe that is specific to accounts that utilize CPanel. There's another way also, which involved sniffing HTTP packets via tcpdump (the article references both methods). As of yet, I haven't noticed a specific Snort rule that will detect this (although the sniff criteria is simple enough to create on your own, if you use Snort to monitor your network).
I've some issues with the article itself. In the last few years, I've seen a ton of the exploits the author elaborates on. This really isn't new news, as most of the attack attempts I've seen come from already compromised machines that attempt to initiate XSS attacks and script injection. Maybe its the first time that someone actually noticed from a global view of things, but when I read the article, I didn't see any new revelations that got me all 'hot and bothered'. Maybe that's just me, though.
|