[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I've been hacked by DevilSoul

Dries Kimpe <Dries.Kimpe@rug.ac.be> writes:

>   Hmm, am I right in assuming that all (current) non-LKM rootkits use
> write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
> there's no write access would be a good idea.

Yes, but it's a tremendous task.  Quite a few device drivers have bugs
which enable root to write kernel memory.

OTOH, if somebody obtains root privileges, he can probably plant a
kernel in the swapfile and instruct the boot loader to load it on the
next reboot.  AFAIK, most if not all checksumming tools don't deal
properly with such scenarios.

Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Reply to: