On Fri, Jul 04, 2003 at 01:09:53PM +0100, Shri Shrikumar wrote: > On Thu, 2003-07-03 at 22:30, Mario Lopez wrote: > > In any case if you have a lkm rootkit, your done, dosent matter if > > you upload static, dinamic or whatever, kernel root kits are hard to > > find, not even lsmod, rmmod can help you because it is quite easy to > > make a kernel module unloadable or even hiden, some of you may be > > thinking that they are safe to those kind of attacks because they > > have disabled kernel module support in theyr kernel, well they are > > wrong :), there is code, and nice white papers explaining how to > > insert kernel code through /proc/kmem, if I am not wrong Silvio > > Cesare developed this technique two or three years ago, although it > > hasent being exploited too much you must be aware of it's existance. > > I dont have module support and I dont have /proc/kmem. Am I missing > something ? Running 2.4.20. /dev/kmem? You can remove it, sure, but it can just be mknod'd again. - Keegan
Attachment:
pgpn9ELXYZYHd.pgp
Description: PGP signature