Re: LKM Trojan installed

From: Brian Hatch (
Date: 02/11/03

  • Next message: Brian Hatch: "Re: LKM Trojan installed"
    Date: Tue, 11 Feb 2003 08:34:52 -0800
    From: Brian Hatch <>
    To: Zow Terry Brugger <>

    > > Of course, if the cracker has gotten root, they can chattr it right
    > > back. In fact, the first thing I'd do as an attacker is to find all
    > > chattr'd files on the filesystem since they're probably important.
    > I seem to recall a few years back reading about a utility that sets the
    > kernel such that attributes can not be further modified until the box is
    > rebooted. Can anyone confirm, hopefully with a pointer?

    IIRC, the ext2/ext3 code checks for CAP_LINUX_IMMUTABLE before allowing
    changes to immutable and append only flags. So if you remove this from
    your capability bounding set you are probably fine. On 2.4 kernels
    you'd need to remove CAP_SYS_MODULE too, s.t. root can't re-enable

    Usually if I need to have immutable files, I go the whole way and
    patch the kernel to use a hardened security module[1]. Besides, chattr
    doesn't work on non ext2/ext3 filesystems, and I have reiserfs on
    many systems.

    [1] LIDS, Grsecurity, yada yada yada.

    Brian Hatch                  "I thought the purpose of filing
       Systems and                these reports was to provide
       Security Engineer          accurate intelligence."  "Vir, intelligence has nothing to
                                  do with politics."
    Every message PGP signed