Re: LKM Trojan installed
From: Nathan Yocom (nate@yocom.org)
Date: 02/08/03
- Previous message: Bruce Garlock: "Re: LKM Trojan installed"
- In reply to: Zow: "Re: LKM Trojan installed"
- Next in thread: Craig Holmes: "Re: LKM Trojan installed"
- Reply: Craig Holmes: "Re: LKM Trojan installed"
- Reply: Peter Kirby: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Nathan Yocom <nate@yocom.org> To: focus-linux@securityfocus.com Date: 07 Feb 2003 23:08:47 -0500
> > which isnt backdoored. Only problem with this is, once it is on your
> > potentially infected box, its output can no longer be trusted, as one of
> > those 69 processes could maim the output of your new ps, not to mention how
> > easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.
If a user was to gain local root priveledges, it is also possible that
he/she has loaded/forced a kernel module also. Check your modules
directory and files to see what is being loaded (off the network). It
could be that ps and /proc agree, but the kernel is not reporting
correctly to either (given that a rogue module is loaded). You could
also compile a kernel from clean source and boot with it (off the
network) then check binaries to be sure they md5 up correctly.
-- Nathan Yocom <nate@yocom.org>
- Next message: terry white: "Re: LKM Trojan installed"
- Previous message: Bruce Garlock: "Re: LKM Trojan installed"
- In reply to: Zow: "Re: LKM Trojan installed"
- Next in thread: Craig Holmes: "Re: LKM Trojan installed"
- Reply: Craig Holmes: "Re: LKM Trojan installed"
- Reply: Peter Kirby: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
