Honeypots mailing list archives
Re: sebek as a patch?
From: Valdis.Kletnieks () vt edu
Date: Thu, 06 Oct 2005 12:45:47 -0400
On Thu, 06 Oct 2005 09:35:48 CDT, Edward Balas said:
Even if you could present an altered /dev/*mem, the intruder with root access can load a kern module which would give them direct access to kernel memory, bypassing all of your work. Yeah you could disable the install of kernel modules using the technique Thorsten mentioned, but that provides a pretty large indicator itself.
And of course, even a kernel built with *no* module support can still have a module inserted by a sufficiently determined adversary, if they have access to /dev/*mem: http://www.phrack.org/show.php?p=58&a=7
Attachment:
_bin
Description:
Current thread:
- Re: sebek as a patch?, (continued)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Edward Balas (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)