RE: HELP I've been cracked

To: <debian-security@lists.debian.org>
Subject: RE: HELP I've been cracked
From: "Jeff Bonner" <jeff@integralogic.com>
Date: Wed, 13 Feb 2002 20:37:57 -0500
Message-id: <[🔎] 002d01c1b4f8$3b8b2b70$0200a8c0@JEFF>
In-reply-to: <[🔎] 1C4F9AE4-20C1-11D6-AADB-00039355CFA6@suespammers.org>

On 13 Feb 2002 03:35 PM, Anthony DeRobertis wrote:

> > But if the machine is restarted, those changes either do not
> > persist (same kernel) or are quite obvious (modified kernel
> > overwrites the old one, etc).  On the other hand, having a
> > hostile module inserted into the kernel not only allows
> > persistence, it is much harder to detect with IDS tools.
>
> Huh? How is there any different. Assuming you reboot off clean
> media to check for security issues (of course you do), loading a
> module automatically will show as a change in some file on the
> file system.

Hmm, this is true.  At this point, I was going on the advise I've been
given and what I've read in documentation and such, so my rationale may
indeed be flawed.  I have not, knock on wood, had a box compromised in
any way, so I have no practical experience in that regard.  Whether
that's the result of my security efforts, or just pure luck, who knows.

> > Linux has an abundance of malicious LKMs, ready for anyone
> > to download and implement, so I see this as a primary method
> > to potentially exploit my system.  YMMV.
>
> There are the same for systems without modules, unfortunately.
> I've seen it published on the web. No URL; sorry. Maybe Google
> can find it.

Yeah, I've heard tidbits on them, but I don't know anything substantial
about it.  I should probably make that "further reading".

> > I'm not saying this is the answer to every possible scenario.
> > There are a number of other items to tick off the "security
> > checklist", such as read-only media.  When added up, they make
> > it a lot harder for the casual skript kiddie to come along and
> > wreak havoc -- and hopefully  less-than-determined blackhats --
> > but I don't for a minute think I'm impenetrable.
>
> Here, we agree completely.

And I never meant to debate whether any given method could be
overridden, although it seems to have turned it into that.  I should
know better.... the stock answer to the original BIND problem would be
"chroot jail", which itself can supposedly be broken out of.  I was just
trying to give the original inquirer some ideas to implement, out of a
vast potential.  I'm no authority on Linux, much less this topic, so I
tried to qualify many of those points in my original message.  Sorry if
there was any confusion, I'm always up for (constructive) criticism when
I'm wrong.

Jeff Bonner

Reply to:

Follow-Ups:
- RE: HELP I've been cracked
  - From: Anthony DeRobertis <asd@suespammers.org>

References:
- Re: HELP I've been cracked
  - From: Anthony DeRobertis <asd@suespammers.org>

Prev by Date: Re: Setting apt to mount partitions read|read-only
Next by Date: RE: Setting apt to mount partitions read|read-only
Previous by thread: Re: HELP I've been cracked
Next by thread: RE: HELP I've been cracked
Index(es):
- Date
- Thread