IDS mailing list archives
Re: RootKits Under Linux
From: "Nathan Sportsman" <nsportsman () gmail com>
Date: Fri, 1 Feb 2008 19:05:07 -0600
I believe hooking functions has become difficult in the 2.6 kernel, because of the new syscall_table_description restrictions (its hidden). I've heard of a few dirty methods to get around this and I believe adore has a 2.6 version of their linux kernel module rootkit, but I have not messed around with it. Nathan Sportsman On Feb 1, 2008 3:56 PM, Brandon Louder <Brandon.Louder () mckennan org> wrote:
I can't answer your entire question but I can provide a good resource. http://www.packetstormsecurity.org/UNIX/penetration/rootkits/ Packet Storm has A LOT of known rootkits listed there with descriptions and links to other sites. Another tool you might look into is Rootkit Hunter (rkhunter). Good Luck! -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ahmed Zaki Sent: Thursday, January 31, 2008 1:41 PM To: focus-ids () securityfocus com Subject: RootKits Under Linux Hi all I am currently doing a project on rootkits under linux os. I am specially interested in loadable kernel module rootkits. I wanted to know where does research stand now in terms of detecting such rootkits. It would be very helpful if you would be able to point me to resources where I gain information on the diverse variations of these rootkits and current available methods of detecting them. Also if there are mechanisms that can be used to totally avoid detection that would be used by rootkits. Regards Zeeq ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ----------------------------------------- Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RootKits Under Linux Ahmed Zaki (Feb 01)
- RE: RootKits Under Linux Brandon Louder (Feb 01)
- Re: RootKits Under Linux Nathan Sportsman (Feb 04)
- Re: RootKits Under Linux John Geddes (Feb 04)
- Re: RootKits Under Linux Johnny Wong (Feb 04)
- Re: RootKits Under Linux Hamilton Vera (Feb 04)
- RE: RootKits Under Linux Brandon Louder (Feb 01)