Re: LKM Trojan installed

From: Zow (
Date: 02/11/03

  • Next message: "Re: LKM Trojan installed"
    To: Brian Hatch <>
    Date: Tue, 11 Feb 2003 08:25:12 -0800
    From: "Zow" Terry Brugger <>

    > Of course, if the cracker has gotten root, they can chattr it right
    > back. In fact, the first thing I'd do as an attacker is to find all
    > chattr'd files on the filesystem since they're probably important.

    I seem to recall a few years back reading about a utility that sets the
    kernel such that attributes can not be further modified until the box is
    rebooted. Can anyone confirm, hopefully with a pointer?


    import StandardDisclaimer

    Relevant Pages

    • Re: Tar pitting automated attacks
      ... These days attackers use distributed networks of cracked PCs ... Most of the time the cracker spends is in adding new ... > doing more damage to the cracker's distributed network by your SSH ... The attacker is banging away ...
    • Re: LKM Trojan installed
      ... >> Of course, if the cracker has gotten root, they can chattr it right ... things he/she did was to look for chattr'd binaries. ...
    • Re: SSH attack
      ... - how do you know its not a script kiddie on Mars ... > This might not work if the attacker has already entered the system and ... - if you do NOT know how to kick off a cracker from a PC, ... == time for you change the way you use ssh and/or the way you ...
    • Re: Has my webserver been hacked?
      ... >> the cracker figures you're most likely to be in bed, ... need listening port and server daemon so nmap can't detect. ... Attacker is running a server ... client post the encrypted result of `ls` to attackers web site. ...