Re: Break-in attempt from 203.197.38.247

[Ian Eure <ieure () SICKFUCK ORG>]

On Fri, 25 Aug 2000, Richard Fein wrote:

> > -----Original Message-----
> > From: Jason Storm [mailto:sec () ORGONE NEGATION NET]
> > Sent: Friday, August 25, 2000 12:23 AM
> > To: INCIDENTS () SECURITYFOCUS COM
> > Subject: Re: Break-in attempt from 203.197.38.247
> >
> >
> > if youre running a kernel that allows loadable modules, you cant trust
> > anything.
> >
> > even if youre not, if you havent tripwired your kernel, you
> > cant be sure
> > the attacker didnt replace it with one that supports modules.
> >
> > modular rootkits are nothing exotic.  anyone who has examined many
> > compromised linux boxes and not bumped into them probably is
> > not looking
> > correctly.
> >
> > -jason storm
> >  negation industries
>
>  I'm not sure whether this is appropriate for the list, but this has come up
> a number of times over here recently, with no good answers. What ARE the
> correct ways to look for kernel mod based rootkits on a (possibly) hacked
> linux box? Are there any real tell tale signs or solutions?
as far as i know, the only way is to boot from some secure media and
examine the drive by hand. if there's a cloaking module that gets loaded
at boot time, it has to be on the drive somewhere.

don't know if it's possible, but it would be really cool if there was a
program that would compare the running kernel image with a known-good copy
on read-only media to make sure the in-memory image hasn't been fiddled
with.

--
 ______________________________________________
| "the whole scale of cosmic dimensions are falling from my mouth
| in the description of a kiss of the interimlovers"
|   - einsturzende neubaten, "interim"