[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I've been hacked by DevilSoul

On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:

> On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > 
> > i doubt that a kernel module can override the linux kernel filesystem
> > abstraction layer. but i guess it could be possible.
> > 
> Oh, it certainly can!  knark is a perfect example of a kernel module to
> do just this.  (knark is Swedish for "drugged".)  It allows files,
> processes, network connections, and network interface promiscuity to be
> *completely* hidden.  It allows the cracker to override what actual
> binary file gets run when a user tries to run some other (possibly
> hidden) executable.

Here kstat might be of intrest, it's getting it's information directly
from the kernel structures. (reading /dev/kmen, and using a dummy module)


Reply to: