Re: I've been hacked by DevilSoul

To: debian-security@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: I've been hacked by DevilSoul
From: Dave Kline <dave@iitedge.com>
Date: Mon, 14 Jan 2002 12:14:09 -0500
Message-id: <[🔎] 3C4311E1.3010401@iitedge.com>
References: <[🔎] Pine.LNX.4.21.0201132200020.11835-100000@wina.rug.ac.be> <[🔎] 87elks50um.fsf@CERT.Uni-Stuttgart.DE>

"OTOH, if somebody obtains root privileges, he can probably plant akernel in the swapfile and instruct the boot loader to load it on thenext reboot. AFAIK, most if not all checksumming tools don't dealproperly with such scenarios. "

Quite a scary scenario. How could one plant a file in swap? How couldyou access that file?

-A. Dave


Florian Weimer wrote:

Dries Kimpe <Dries.Kimpe@rug.ac.be> writes:

 Hmm, am I right in assuming that all (current) non-LKM rootkits use
write access on /dev/kmem (/dev/mem)? In anycase, patching the kernel that
there's no write access would be a good idea.


Yes, but it's a tremendous task.  Quite a few device drivers have bugs
which enable root to write kernel memory.

OTOH, if somebody obtains root privileges, he can probably plant a
kernel in the swapfile and instruct the boot loader to load it on the
next reboot.  AFAIK, most if not all checksumming tools don't deal
properly with such scenarios.

Reply to:

Follow-Ups:
- Re: I've been hacked by DevilSoul
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: I've been hacked by DevilSoul
  - From: Dries Kimpe <Dries.Kimpe@rug.ac.be>
- Re: I've been hacked by DevilSoul
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Prev by Date: Re: Asking for documentation help (Re: IPSec questions...)
Next by Date: Re: Debian security being trashed in Linux Today comments
Previous by thread: Re: I've been hacked by DevilSoul
Next by thread: Re: I've been hacked by DevilSoul
Index(es):
- Date
- Thread