Re: Advice Needed On Recent Rootings

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: Advice Needed On Recent Rootings
From: Phillip Hofmeister <plhofmei@zionlth.org>
Date: Sun, 1 Jun 2003 19:01:47 -0400
Message-id: <[🔎] 20030601230147.GB7880@zionlth.org>
Mail-followup-to: Debian Security <debian-security@lists.debian.org>
In-reply-to: <20030528045821.GA7093@yagami.infodump.net>
References: <20030525180430.GB32546@yagami.infodump.net> <20030525182528.GE3395@keimel.com> <20030528045821.GA7093@yagami.infodump.net>

On Tue, 27 May 2003 at 11:58:21PM -0500, Jayson Vantuyl wrote:
> He appears to modify the kernel image in memory via /dev/kmem (a
> next-generation LKM attack).  I've considered removing /dev/kmem (does
> anything use it?) but I don't know about any side effects (and it
> doesn't prevent him mknod'ing it).  It appears he actually has some sort
> of kernel-level TTY logger *AND* a kernel-hack to hide files and
> processes.  The only comfort in this is that some of our kernels are
> apparently so exotic that his meddling crashes the machine during the
> break-in (instead of leaving a more compromized system).  In general,
> all of the rootkits are the same flavor (and seem unrelated to the LKM
> stuff).

Assuming he has rooted the box removing /dev/kmem won't do any good as
he can merely recreate it using mknod(1).


-- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #163: RPC_PMAP_FAILURE

Reply to:

Prev by Date: unsubscribe
Next by Date: Re: Advice Needed On Recent Rootings
Previous by thread: unsubscribe
Next by thread: Re: Advice Needed On Recent Rootings
Index(es):
- Date
- Thread