Re: LKM Trojan installed

From: Brian Hatch (
Date: 02/11/03

  • Next message: Brian Hatch: "Re: LKM Trojan installed"
    Date: Tue, 11 Feb 2003 08:34:52 -0800
    From: Brian Hatch <>
    To: Zow Terry Brugger <>

    > > Of course, if the cracker has gotten root, they can chattr it right
    > > back. In fact, the first thing I'd do as an attacker is to find all
    > > chattr'd files on the filesystem since they're probably important.
    > I seem to recall a few years back reading about a utility that sets the
    > kernel such that attributes can not be further modified until the box is
    > rebooted. Can anyone confirm, hopefully with a pointer?

    IIRC, the ext2/ext3 code checks for CAP_LINUX_IMMUTABLE before allowing
    changes to immutable and append only flags. So if you remove this from
    your capability bounding set you are probably fine. On 2.4 kernels
    you'd need to remove CAP_SYS_MODULE too, s.t. root can't re-enable

    Usually if I need to have immutable files, I go the whole way and
    patch the kernel to use a hardened security module[1]. Besides, chattr
    doesn't work on non ext2/ext3 filesystems, and I have reiserfs on
    many systems.

    [1] LIDS, Grsecurity, yada yada yada.

    Brian Hatch                  "I thought the purpose of filing
       Systems and                these reports was to provide
       Security Engineer          accurate intelligence."  "Vir, intelligence has nothing to
                                  do with politics."
    Every message PGP signed

    Relevant Pages

    • Re: [00/41] Large Blocksize Support V7 (adds memmap support)
      ... kernel and already must have fallbacks.... ... I don't agree with using higher order pages to fix SLUB vs SLAB performance ... as well as something the filesystem people recommend to get good coverage ...
    • kernel BUG at mm/slab.c:610
      ... I'm experimenting this kernel panic on 3 different ... I don't think this is related to buggy hardware ... Filesystem "hda1": Disabling barriers, not supported by the ... # ACPI Support ...
    • Re: [RFC][PATCH] VFS: update documentation (take #2)
      ... > filesystem interface to userspace programs. ... > abstraction within the kernel which allows different filesystem ... > a pointer to the dentry and a set of file operation member functions. ... called when the VFS needs to get filesystem statistics. ...
    • kernel BUG at mm/slab.c:607 in
      ... kernel message event are written to /var/log/syslog). ... Allocating PCI resources starting at 10000000 ... Filesystem "hda1": Disabling barriers, ... EIP is at free_block+0xe2/0x100 ...
    • Re: booting without initrd
      ... One important job of the initrd is to load ... drivers which aren't compiled directly into the base kernel image. ... may be a good exercise to learn about the kernel/root filesystem startup; ... grub gets confused when you use the vmalloc and mem kernel parameters. ...