Re: I've been hacked by DevilSoul

To: debian-security@lists.debian.org
Subject: Re: I've been hacked by DevilSoul
From: Richard <ricv@denhaag.org>
Date: Sat, 12 Jan 2002 00:06:28 +0100 (MET)
Message-id: <[🔎] Pine.LNX.4.21.0201120002400.22551-100000@gatekeeper.jane.org>
In-reply-to: <[🔎] 20020111164048.N1098@morgul.net>


On Fri, 11 Jan 2002, Noah L. Meyerhans wrote:

> On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > 
> > i doubt that a kernel module can override the linux kernel filesystem
> > abstraction layer. but i guess it could be possible.
> > 
> 
> Oh, it certainly can!  knark is a perfect example of a kernel module to
> do just this.  (knark is Swedish for "drugged".)  It allows files,
> processes, network connections, and network interface promiscuity to be
> *completely* hidden.  It allows the cracker to override what actual
> binary file gets run when a user tries to run some other (possibly
> hidden) executable.

Here kstat might be of intrest, it's getting it's information directly
from the kernel structures. (reading /dev/kmen, and using a dummy module)

[RicV]

Reply to:

Follow-Ups:
- Re: I've been hacked by DevilSoul
  - From: Dries Kimpe <Dries.Kimpe@rug.ac.be>

References:
- Re: I've been hacked by DevilSoul
  - From: "Noah L. Meyerhans" <frodo@morgul.net>

Prev by Date: RE: Hacked too?
Next by Date: RE: Hacked too?
Previous by thread: Re: I've been hacked by DevilSoul
Next by thread: Re: I've been hacked by DevilSoul
Index(es):
- Date
- Thread