Security Incidents mailing list archives
Re: Break-in attempt from 203.197.38.247
From: Ian Eure <ieure () SICKFUCK ORG>
Date: Fri, 25 Aug 2000 15:38:41 -0700
On Fri, 25 Aug 2000, Richard Fein wrote:
-----Original Message----- From: Jason Storm [mailto:sec () ORGONE NEGATION NET] Sent: Friday, August 25, 2000 12:23 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Break-in attempt from 203.197.38.247 if youre running a kernel that allows loadable modules, you cant trust anything. even if youre not, if you havent tripwired your kernel, you cant be sure the attacker didnt replace it with one that supports modules. modular rootkits are nothing exotic. anyone who has examined many compromised linux boxes and not bumped into them probably is not looking correctly. -jason storm negation industriesI'm not sure whether this is appropriate for the list, but this has come up a number of times over here recently, with no good answers. What ARE the correct ways to look for kernel mod based rootkits on a (possibly) hacked linux box? Are there any real tell tale signs or solutions?
as far as i know, the only way is to boot from some secure media and examine the drive by hand. if there's a cloaking module that gets loaded at boot time, it has to be on the drive somewhere. don't know if it's possible, but it would be really cool if there was a program that would compare the running kernel image with a known-good copy on read-only media to make sure the in-memory image hasn't been fiddled with. -- ______________________________________________ | "the whole scale of cosmic dimensions are falling from my mouth | in the description of a kiss of the interimlovers" | - einsturzende neubaten, "interim"
Current thread:
- Break-in attempt from 203.197.38.247 Cronje Schalk (Aug 22)
- Re: Break-in attempt from 203.197.38.247 M ixter (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Jason Storm (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- <Possible follow-ups>
- Re: Break-in attempt from 203.197.38.247 Fernando Cardoso (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Richard Fein (Aug 25)
- Re: Break-in attempt from 203.197.38.247 Ian Eure (Aug 25)