[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I've been hacked by DevilSoul

On 13 Jan 2002, Florian Weimer wrote:

> Henrique de Moraes Holschuh <hmh@debian.org> writes:
> > On Fri, 11 Jan 2002, Ricardo B wrote:
> > > Isn't there a way to turn module loading off (a way that can't be chagend
> > > back - without rebooting) ?
> > 
> > None that cannot be undone if you're root in a non-ACL kernel. It gets hard
> > if the kernel has no module support at all, but not impossible.

  Hmm, am I right in assuming that all (current) non-LKM rootkits use
write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
there's no write access would be a good idea.

 Anybody knows of programs that need to write to dev kmem?
There are some (mostly video drivers) that write there I think, but most
should only be reading (like videoboard grabbers).

  Another solution could be to randomize (or at least pick a
non-standard) GFP_KERNEL, as (in the article) there is no algorithm
(yet) to find that value. I'd rather have the box kernel-panic.
(Well, not *every* day of course ;-)


Reply to: