Re: LKM Trojan installed

From: Zow (zow@llnl.gov)
Date: 02/11/03

  • Next message: lists@rak.radio.cz: "Re: LKM Trojan installed" 
    To: Brian Hatch <focus-linux@ifokr.org>
Date: Tue, 11 Feb 2003 08:25:12 -0800
From: "Zow" Terry Brugger <zow@llnl.gov>

    > Of course, if the cracker has gotten root, they can chattr it right
    > back. In fact, the first thing I'd do as an attacker is to find all
    > chattr'd files on the filesystem since they're probably important.

    I seem to recall a few years back reading about a utility that sets the
    kernel such that attributes can not be further modified until the box is
    rebooted. Can anyone confirm, hopefully with a pointer?

    Terry

    import StandardDisclaimer

    Relevant Pages

    • Re: Tar pitting automated attacks
      ... These days attackers use distributed networks of cracked PCs ... Most of the time the cracker spends is in adding new ... > doing more damage to the cracker's distributed network by your SSH ... The attacker is banging away ...
      (freebsd-questions)
    • Re: LKM Trojan installed
      ... >> Of course, if the cracker has gotten root, they can chattr it right ... things he/she did was to look for chattr'd binaries. ...
      (Focus-Linux)
    • Re: SSH attack
      ... - how do you know its not a script kiddie on Mars ... > This might not work if the attacker has already entered the system and ... - if you do NOT know how to kick off a cracker from a PC, ... == time for you change the way you use ssh and/or the way you ...
      (Debian-User)
    • Re: Has my webserver been hacked?
      ... >> the cracker figures you're most likely to be in bed, ... need listening port and server daemon so nmap can't detect. ... Attacker is running a server ... client post the encrypted result of `ls` to attackers web site. ...
      (comp.os.linux.security)