Re: I've been hacked by DevilSoul

To: debian-security@lists.debian.org
Subject: Re: I've been hacked by DevilSoul
From: Dries Kimpe <Dries.Kimpe@rug.ac.be>
Date: Sat, 12 Jan 2002 02:46:50 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0201120232140.4893-100000@wina.rug.ac.be>
In-reply-to: <[🔎] Pine.LNX.4.21.0201120002400.22551-100000@gatekeeper.jane.org>

On Sat, 12 Jan 2002, Richard wrote:

> > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> > > 
> > > i doubt that a kernel module can override the linux kernel filesystem
> > > abstraction layer. but i guess it could be possible.
> > > 
> > 
> > Oh, it certainly can!  knark is a perfect example of a kernel module to
> > do just this.  (knark is Swedish for "drugged".)  It allows files,
> > processes, network connections, and network interface promiscuity to be
> > *completely* hidden.  It allows the cracker to override what actual
> > binary file gets run when a user tries to run some other (possibly
> > hidden) executable.
> 
> Here kstat might be of intrest, it's getting it's information directly
> from the kernel structures. (reading /dev/kmen, and using a dummy module)
> 

  Looking at all the nice things one can do with a modern (and
surprisingly easy to make) rootkit, I'm really thinking about just
avoiding modular kernels at any cost.

  I once had a redhat box hacked (old lpr exploit [from within the
'trusted' network]). Think it was adore I found (along with some sniffers)
I already avoid modules on most places (gateway, webservers, ...).
Usually the pro's from modules outweight the con's, but nowadays, with
memory that cheap i don't think it's worth the trouble anylonger.

  Still, knark is nice work ;-) Solves the whole AIDE-problem a hacker has
on most systems these days... As the document states, one of the only
possibilities in detecting knark is using the utils and try to get root
yourself, or unhide/hide files. Adore already had a solution for that:
those things mostly work by sending a signal to the process, and adore
used an offset, so the 'standard' detection tools couldn't detect it
anymore. Without the correct offset, nobody but those who installed the
rootkit could use it (easily). 

  The problem is that with code like that lying around (don't get me
wrong, I think it's *good* that people create things like that - without
challenge, there's no need for improvement, and it stimulates creativity  
- but what worries me is that it lowers the treshold. You don't have to
know that much about linux kernel internals to adapt the knark code to use
different signals/ports. As soon as people start to do that, most
rootkit-detection software fails... And as said in this thread before, one
can hide for a very long time in a (standard) linux system...

  Dries

Reply to:

Follow-Ups:
- Re: I've been hacked by DevilSoul
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

References:
- Re: I've been hacked by DevilSoul
  - From: Richard <ricv@denhaag.org>

Prev by Date: /etc/passwd->shell
Next by Date: Re: Socks & Squid?
Previous by thread: Re: I've been hacked by DevilSoul
Next by thread: Re: I've been hacked by DevilSoul
Index(es):
- Date
- Thread