Re: chkrootkit and LKM?

From: Valdis.Kletnieksat_private
Date: Tue Jun 17 2003 - 21:39:53 PDT

Next message: Joe Stewart: "sdbot variant and port 55808 activity"

Previous message: Taylor, David: "RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)"
In reply to: Blade Runner: "Re: chkrootkit and LKM?"
Next in thread: Tim Greer: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 17 Jun 2003 16:47:52 -0300, Blade Runner <bladeat_private>  said:

> If possible, do not allow Loadable module support , maybe this can avoid
> future problems with lkm.

Please note that even if the kernel is built without loadable module support,
it is still possible to insert a module into the kernel - it just requires
a bit more effort on the part of the programmer.

Silvio Cesare's paper on doing this:
http://www.l0t3k.org/biblio/kernel/english/runtime-kernel-kmem-patching.txt

More than you ever wanted to know:

http://packetstormsecurity.nl/docs/hack/LKM_HACKING.html

application/pgp-signature attachment: stored

Next message: Joe Stewart: "sdbot variant and port 55808 activity"
Previous message: Taylor, David: "RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)"
In reply to: Blade Runner: "Re: chkrootkit and LKM?"
Next in thread: Tim Greer: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 08:37:04 PDT