RE: HELP I've been cracked
On 13 Feb 2002 03:35 PM, Anthony DeRobertis wrote:
> > But if the machine is restarted, those changes either do not
> > persist (same kernel) or are quite obvious (modified kernel
> > overwrites the old one, etc). On the other hand, having a
> > hostile module inserted into the kernel not only allows
> > persistence, it is much harder to detect with IDS tools.
>
> Huh? How is there any different. Assuming you reboot off clean
> media to check for security issues (of course you do), loading a
> module automatically will show as a change in some file on the
> file system.
Hmm, this is true. At this point, I was going on the advise I've been
given and what I've read in documentation and such, so my rationale may
indeed be flawed. I have not, knock on wood, had a box compromised in
any way, so I have no practical experience in that regard. Whether
that's the result of my security efforts, or just pure luck, who knows.
> > Linux has an abundance of malicious LKMs, ready for anyone
> > to download and implement, so I see this as a primary method
> > to potentially exploit my system. YMMV.
>
> There are the same for systems without modules, unfortunately.
> I've seen it published on the web. No URL; sorry. Maybe Google
> can find it.
Yeah, I've heard tidbits on them, but I don't know anything substantial
about it. I should probably make that "further reading".
> > I'm not saying this is the answer to every possible scenario.
> > There are a number of other items to tick off the "security
> > checklist", such as read-only media. When added up, they make
> > it a lot harder for the casual skript kiddie to come along and
> > wreak havoc -- and hopefully less-than-determined blackhats --
> > but I don't for a minute think I'm impenetrable.
>
> Here, we agree completely.
And I never meant to debate whether any given method could be
overridden, although it seems to have turned it into that. I should
know better.... the stock answer to the original BIND problem would be
"chroot jail", which itself can supposedly be broken out of. I was just
trying to give the original inquirer some ideas to implement, out of a
vast potential. I'm no authority on Linux, much less this topic, so I
tried to qualify many of those points in my original message. Sorry if
there was any confusion, I'm always up for (constructive) criticism when
I'm wrong.
Jeff Bonner
Reply to: