Hi Kyle. Although anything is possible, chances are there is no "hidden
partition." The *much* more likely scenario is that your client's computer
is simply running software which is vulnerable to a remote attack. Thus,
after a clean install, the computer is back up and running in it's
previous state (with its previous software installed) and the "hackers"
just re-compromise the system again. I find this to be a surprisingly
common scenario.
To try and determine *how* the hackers are continually exploiting the
system, consider an external vulnerability assessment. Edgeos provides
this service for just $25. Simply visit Edgeos' web site
<
http://www.edgeos.com> and place an order. It is a 100% remote and
automated service that will audit an IP (or entire network) for over 1500
vulnerabilities and threats. Within about two hours, you'll receive a
detailed report (both business impact and technical detail) about your
client's system's vulnerabilities. Bottom line, this can save you a ton of
time looking for a proverbial needle in the haystack.
About your question with 'dd', you could have it write zeros, or similar,
to the entire HDD. Although not using 'dd', this would do the trick (make
sure the target HDD is not mounted):
cat /dev/zero > /dev/hdX (where "hdX" is the drive to fill with zeros)
Hope that helps.
~Jay
On Fri, 25 Apr 2003, Kyle Faber wrote:
>
> I have a client who has a nasty hacker problem. I have reason to believe
> that there is some sort of "sleeper" application inside some kind of hidden
> partition. I came to this conclusion after seeing evidence of the hack
> return on a repartitioned, formatted, disconnected machine. The hacked users
> returned, the machine begins to attempt to phone home. There is no evidence
> of any hidden partitions using linux fdisk.
>
> Any suggestions? I have heard some form of the dd command can be used to
> overwrite ALL information on this disk. Anyone have any tips for that? Or
> any tips in general, I am tearing my hair out on this one.
>
> Thanks a bunch!
>
--
== Jay Jacobson
== Edgeos, Inc. - Security is Critical -
http://www.edgeos.com
==
== Automated Information Security and Hacker Sciences