Re: Advice Needed On Recent Rootings
On Tue, 27 May 2003 at 11:58:21PM -0500, Jayson Vantuyl wrote:
> He appears to modify the kernel image in memory via /dev/kmem (a
> next-generation LKM attack). I've considered removing /dev/kmem (does
> anything use it?) but I don't know about any side effects (and it
> doesn't prevent him mknod'ing it). It appears he actually has some sort
> of kernel-level TTY logger *AND* a kernel-hack to hide files and
> processes. The only comfort in this is that some of our kernels are
> apparently so exotic that his meddling crashes the machine during the
> break-in (instead of leaving a more compromized system). In general,
> all of the rootkits are the same flavor (and seem unrelated to the LKM
> stuff).
Assuming he has rooted the box removing /dev/kmem won't do any good as
he can merely recreate it using mknod(1).
--
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #163: RPC_PMAP_FAILURE
Reply to: