[KLUG Members] A kernel Q

Bruce Smith bruce at armintl.com
Fri Sep 10 16:52:34 EDT 2004

Previous message: [KLUG Members] A kernel Q
Next message: [KLUG Members] Meeting 2004-09-14 - XFS: Not Just A Filesystem; A Storage Solution
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > >I suppose, I find these kind of things rather dubious.  To potentially
> > >exploit the module loading mechanism you have to have already exploited
> > >the box to gain local access - in other words: your already humped.
> > So do LKM Root Kits really not exist in this universe?
> 
> Sure they do, but as stated - "[to] exploit the module loading mechanism you
> have to have already exploited the box to gain local access - in other words:
> your already humped."  If they can use a LKM on your firewall - IT IS WAY TOO
> LATE.  You have to have (a) accessed the firewall [ in which case it ain't
> firewalling anymore ] and (b) got a process to run as root [ in which case your
> already at the reinstall solution ].
> 
> "Intro To Root Kits" - http://lineman.net/article127.html -
> "The only real protection for stopping the use of LKM Trojans is to not use any
> LKM, but this is usually more work in the long run then it’s worth. The best
> way to prevent root-kits is by always having your box up to date and fully
> secure"

FWIW, here is some software to scan systems for known root kits:  

  http://www.chkrootkit.org/

They list quite a few different root kits.  Not sure how many are LKM.

 - BS

Previous message: [KLUG Members] A kernel Q
Next message: [KLUG Members] Meeting 2004-09-14 - XFS: Not Just A Filesystem; A Storage Solution
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list