Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"mostly". It's not unusual to deliver an easy to detect and obvious malware and your real payload to catch those convinced that they got it all.

This is the reason why being equipped for automatic reimaging of a server and quick rotation of keys and passwords should be standard practice nowadays.



I'm talking about the end-user. From server perspective, I would argue that it depends on the impact.

With a proper setup you should be able to tell if you are dealing with something on the kernel level .vs typical script kiddie style attack.

Reloading server with 1000's customers is not that simple.


You have now revealed that if somebody were to get access to one of your servers, they just need to drop some script kiddie trash at the very front, and then put their heavy stuff deep into the system.

You'll clean up the script kiddie trash, and call it a day.


No, you can't, because the latter could have dropper the former.

You mass inject with a low impact exploit and any high profile targets you stumble upon can be dropped a high impact rootkit.

You must be very, very sure before you decide you only got hit by a script kiddie attack.


How do you "tell" there was something on kernel level without offline forensics (which means the machine is put of the grid anyways)?

A compromised Kernel can lie to you about everything, including the malware.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: