Security Incidents mailing list archives
Re: Break-in attempt from 203.197.38.247
From: Richard Fein <rfein () VM COM>
Date: Fri, 25 Aug 2000 13:01:08 -0400
-----Original Message----- From: Jason Storm [mailto:sec () ORGONE NEGATION NET] Sent: Friday, August 25, 2000 12:23 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Break-in attempt from 203.197.38.247 if youre running a kernel that allows loadable modules, you cant trust anything. even if youre not, if you havent tripwired your kernel, you cant be sure the attacker didnt replace it with one that supports modules. modular rootkits are nothing exotic. anyone who has examined many compromised linux boxes and not bumped into them probably is not looking correctly. -jason storm negation industries
I'm not sure whether this is appropriate for the list, but this has come up a number of times over here recently, with no good answers. What ARE the correct ways to look for kernel mod based rootkits on a (possibly) hacked linux box? Are there any real tell tale signs or solutions? -Richard
Current thread:
- Break-in attempt from 203.197.38.247 Cronje Schalk (Aug 22)
- Re: Break-in attempt from 203.197.38.247 M ixter (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Jason Storm (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- <Possible follow-ups>
- Re: Break-in attempt from 203.197.38.247 Fernando Cardoso (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Richard Fein (Aug 25)
- Re: Break-in attempt from 203.197.38.247 Ian Eure (Aug 25)