Re: I've been hacked by DevilSoul

To: Dries Kimpe <Dries.Kimpe@rug.ac.be>
Cc: debian-security@lists.debian.org
Subject: Re: I've been hacked by DevilSoul
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Date: 14 Jan 2002 17:55:13 +0100
Message-id: <[🔎] 87elks50um.fsf@CERT.Uni-Stuttgart.DE>
In-reply-to: <[🔎] Pine.LNX.4.21.0201132200020.11835-100000@wina.rug.ac.be> (Dries Kimpe's message of "Sun, 13 Jan 2002 22:08:06 +0100 (CET)")
References: <[🔎] Pine.LNX.4.21.0201132200020.11835-100000@wina.rug.ac.be>

Dries Kimpe <Dries.Kimpe@rug.ac.be> writes:

>   Hmm, am I right in assuming that all (current) non-LKM rootkits use
> write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
> there's no write access would be a good idea.

Yes, but it's a tremendous task.  Quite a few device drivers have bugs
which enable root to write kernel memory.

OTOH, if somebody obtains root privileges, he can probably plant a
kernel in the swapfile and instruct the boot loader to load it on the
next reboot.  AFAIK, most if not all checksumming tools don't deal
properly with such scenarios.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Reply to:

Follow-Ups:
- Re: I've been hacked by DevilSoul
  - From: Dave Kline <dave@iitedge.com>

References:
- Re: I've been hacked by DevilSoul
  - From: Dries Kimpe <Dries.Kimpe@rug.ac.be>

Prev by Date: Re: Once again: Spam (from hananet.net, korea)
Next by Date: Re: Asking for documentation help (Re: IPSec questions...)
Previous by thread: Re: I've been hacked by DevilSoul
Next by thread: Re: I've been hacked by DevilSoul
Index(es):
- Date
- Thread