Re: chkrootkit and LKM?

From: Tim Greer (chatmaster_at_charter.net)
Date: 06/22/03

Next message: John Smaction: "kuag2 again?"

Previous message: digigal11_at_hushmail.com: "RE: sdbot variant and WS 55808 activity"
In reply to: Andrew Ruef: "RE: chkrootkit and LKM?"
Next in thread: Nathan Dornquast: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Andrew Ruef" <jabberwocky@mediasoft.net>, <incidents@securityfocus.com>
Date: Sat, 21 Jun 2003 15:22:43 -0700

Yes, definitely. I use the grsecurity patch on all the systems I build
personally, as well as the company I work for--which involves hundreds of
shared and dedicated server clients. I highly recommend it as a default
patch to work with.

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.
----- Original Message -----
From: "Andrew Ruef" <jabberwocky@mediasoft.net>
To: <incidents@securityfocus.com>
Sent: Thursday, June 19, 2003 8:34 PM
Subject: RE: chkrootkit and LKM?
Actually the best way to do that is to turn off module support within
the kernel and then use some device (the grsecurity kernel patches and
the StJude LKM both have these) to close down things like access to
/dev/kmem, /dev/ports, privileged I/O, so on. This closes down other
avenues for code to be loaded into the kernel.
A. Ruef
-----Original Message-----
From: Tim Greer [mailto:chatmaster@charter.net]
Sent: Wednesday, June 18, 2003 12:22 PM
To: Rob Shein; 'Janus N. Tøndering'; incidents@securityfocus.com
Subject: Re: chkrootkit and LKM?
> ----- Original Message -----
> From: "Rob Shein" <shoten@starpower.net>
> To: "'Tim Greer'" <chatmaster@charter.net>; "'Janus N. Tøndering'"
<janus@bananus.dk>; <incidents@securityfocus.com>
> Sent: Wednesday, June 18, 2003 12:47 AM
> Subject: RE: chkrootkit and LKM?
>
> This won't help if it's an LKM...LKM stands for "Linux Kernel Module,"
For some reason, I just saw 'chrootroot' and not LKM; hence my response.
Anyway, I always recommend people not compile in loadable module support
if
they want a more secure kernel and to avoid this type of problem in the
future.
--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.
------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from
CSO's to
"underground" security specialists.  See for yourself what the buzz is
about!
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's
to
"underground" security specialists.  See for yourself what the buzz is
about!
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: John Smaction: "kuag2 again?"

Previous message: digigal11_at_hushmail.com: "RE: sdbot variant and WS 55808 activity"
In reply to: Andrew Ruef: "RE: chkrootkit and LKM?"
Next in thread: Nathan Dornquast: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: chkrootkit and LKM?
... there's any processes in netstat that aren't listed in ps. Look in your init ... Server administration, security, programming, consulting. ... Subject: chkrootkit and LKM? ... world's premier technical IT security event! ...
(Incidents)
RE: chkrootkit and LKM?
... the kernel and then use some device (the grsecurity kernel patches and ... I always recommend people not compile in loadable module support ... Server administration, security, programming, consulting. ... world's premier technical IT security event! ...
(Incidents)
[UNIX] Flaws Found in Recent Linux Kernels (newgrp, symblinks)
... Flaws Found in Recent Linux Kernels (newgrp, ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can force the kernel to spend almost arbitrary amount of time ... script creates 5 symlinks, each of them containing 2*N+1 path elements. ...
(Securiteam)
[UNIX] Linux Kernel File Offset Pointer Handling
... Get your security news from a reliable source. ... The Linux kernel offers a file handling API to the userland applications. ... One of the properties of the file object is something called 'file offset' ... about one page of un-initialized kernel memory and can be exploited to ...
(Securiteam)
[UNIX] Kmail HTML Support Allows Spoofing of Emails Content
... Get your security news from a reliable source. ... system call handler in the 2.4 Linux Kernel on the AMD64 platform a local attacker can gain root access using a simple program. ... it contains the sources that the binary kernel rpm packages are created from. ... Since the kernel-source.rpm is an installable package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. ...
(Securiteam)