Re: I've been hacked by DevilSoul
On 13 Jan 2002, Florian Weimer wrote:
> Henrique de Moraes Holschuh <firstname.lastname@example.org> writes:
> > On Fri, 11 Jan 2002, Ricardo B wrote:
> > > Isn't there a way to turn module loading off (a way that can't be chagend
> > > back - without rebooting) ?
> > None that cannot be undone if you're root in a non-ACL kernel. It gets hard
> > if the kernel has no module support at all, but not impossible.
Hmm, am I right in assuming that all (current) non-LKM rootkits use
write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
there's no write access would be a good idea.
Anybody knows of programs that need to write to dev kmem?
There are some (mostly video drivers) that write there I think, but most
should only be reading (like videoboard grabbers).
Another solution could be to randomize (or at least pick a
non-standard) GFP_KERNEL, as (in the article) there is no algorithm
(yet) to find that value. I'd rather have the box kernel-panic.
(Well, not *every* day of course ;-)