RE: HELP I've been cracked

To: <debian-security@lists.debian.org>
Subject: RE: HELP I've been cracked
From: "Jeff Bonner" <jeff@integralogic.com>
Date: Mon, 11 Feb 2002 14:54:34 -0500
Message-id: <[🔎] 000301c1b335$ede41170$0200a8c0@JEFF>
In-reply-to: <[🔎] 12EFEF89-1F13-11D6-936A-00039355CFA6@suespammers.org>

On 11 Feb 2002 12:16 PM, Anthony DeRobertis wrote:

> > One of the things I did with my firewall was compile all the
> > needed modules into the kernel, so that no additional modules
> > can be loaded -- which is one way a hacker can install things.
>
> If you have root, you can just write to kernel memory. No
> modules needed.

But if the machine is restarted, those changes either do not persist
(same kernel) or are quite obvious (modified kernel overwrites the old
one, etc).  On the other hand, having a hostile module inserted into the
kernel not only allows persistence, it is much harder to detect with IDS
tools.

Linux has an abundance of malicious LKMs, ready for anyone to download
and implement, so I see this as a primary method to potentially exploit
my system.  YMMV.

BTW, you can seal off /dev/kmem and /dev/mem.  This of course results in
X not working, but that's fine, this is a server.

I'm not saying this is the answer to every possible scenario.  There are
a number of other items to tick off the "security checklist", such as
read-only media.  When added up, they make it a lot harder for the
casual skript kiddie to come along and wreak havoc -- and hopefully
less-than-determined blackhats -- but I don't for a minute think I'm
impenetrable.

Jeff Bonner

Reply to:

Follow-Ups:
- Re: HELP I've been cracked
  - From: Anthony DeRobertis <asd@suespammers.org>

References:
- Re: HELP I've been cracked
  - From: Anthony DeRobertis <asd@suespammers.org>

Prev by Date: Re: hosts deny, alow
Next by Date: Re: hosts deny, alow
Previous by thread: Re: HELP I've been cracked
Next by thread: Re: HELP I've been cracked
Index(es):
- Date
- Thread