also sprach Ricardo B <etralex@ua.pt> [2002.01.11.1804 +0100]: > There is no need for a rootkit to reboot the machine in order to hide himself. > He can be loaded as a kernel module and then hide all traces of its presence in > the system, by overriding the proper system calls and /proc info. > Isn't there a way to turn module loading off (a way that can't be chagend back > - without rebooting) ? i doubt that a kernel module can override the linux kernel filesystem abstraction layer. but i guess it could be possible. > Boot the machine with a secure (as in external) kernel and root file system. > Only then use tripwire to see if anything has changed. > Hmm... can we trust the BIOS? :-) how can you overwrite the bios from linux? and: how much does linux care about the bios? we're dealing with harddrives, and i have *no* harddrives configured in any bios, i let the kernel take care of it all. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck si vis pacem, para bellum
Attachment:
pgpPx3efG7cmg.pgp
Description: PGP signature