[KLUG Members] A kernel Q
Bruce Smith
bruce at armintl.com
Fri Sep 10 16:52:34 EDT 2004
> > >I suppose, I find these kind of things rather dubious. To potentially
> > >exploit the module loading mechanism you have to have already exploited
> > >the box to gain local access - in other words: your already humped.
> > So do LKM Root Kits really not exist in this universe?
>
> Sure they do, but as stated - "[to] exploit the module loading mechanism you
> have to have already exploited the box to gain local access - in other words:
> your already humped." If they can use a LKM on your firewall - IT IS WAY TOO
> LATE. You have to have (a) accessed the firewall [ in which case it ain't
> firewalling anymore ] and (b) got a process to run as root [ in which case your
> already at the reinstall solution ].
>
> "Intro To Root Kits" - http://lineman.net/article127.html -
> "The only real protection for stopping the use of LKM Trojans is to not use any
> LKM, but this is usually more work in the long run then it’s worth. The best
> way to prevent root-kits is by always having your box up to date and fully
> secure"
FWIW, here is some software to scan systems for known root kits:
http://www.chkrootkit.org/
They list quite a few different root kits. Not sure how many are LKM.
- BS
More information about the Members
mailing list