Re: LKM

From: Cedric Blancher (blancher@cartel-info.fr)
Date: 12/20/01

Next message: Marek Pedziwiatr: "web downoload robots"

Previous message: Cedric Blancher: "Re: Is this correct in Ipchains?"
In reply to: uzon: "LKM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Cedric Blancher <blancher@cartel-info.fr>
Date: Thu, 20 Dec 2001 08:48:41 +0000 (UTC)

Dans sa prose, uzon (asb23@hotmail.com) nous ecrivait :
> how is it possible to detect a malicious LKM?

Yes, most of them.

> I saw something with KSTAT but it wasn't too clear.

You can look at exported symbols.

See http://www.chkrootkit.org/

And, to avoid them, build your kernel _without_ module support and
disable /dev/kmem and stuff with a patch like LIDS to avoid a LKM to be
forced loaded.

-- BOFH excuse #55:

Plumber mistook routing panel for decorative wall fixture

Next message: Marek Pedziwiatr: "web downoload robots"
Previous message: Cedric Blancher: "Re: Is this correct in Ipchains?"
In reply to: uzon: "LKM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]