[8195] in linux-scsi channel archive
Re: recovery behaviour with 1 bad + 1 good drive (aic7xxx)
daemon@ATHENA.MIT.EDU (Ricky Beam)
Wed Feb 23 19:58:53 2000
Date: Wed, 23 Feb 2000 15:41:22 -0500 (EST)
From: Ricky Beam <jfbeam@bluetopia.net>
To: Matthias Andree <ma@dt.e-technik.uni-dortmund.de>
Cc: linux-scsi@vger.rutgers.edu
In-Reply-To: <20000223194209.C5399@krusty.e-technik.uni-dortmund.de>
Message-ID: <Pine.LNX.4.04.10002231525040.12259-100000@beaker>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 23 Feb 2000, Matthias Andree wrote:
>> Hmm, I smell a kernel module coming on. (Have you ever heard of the module
>> called "heroine" ? :-))
>
>No, sorry, what's that about? Don't answer "drugs" or "rock'n roll" ;-)
Some years ago, phrack published an "attack" on linux via modules. This
was nothing new at all.
Heroine is a kernel module demonstrating the power and inherent danger of
kernel modules. This creature modified the syscall dispatch table to
redirect certain syscalls to it's code. The net result was hiding itself.
It would not show up in the module table and even blocked the module
remove call should you "blind rmmod" it -- rmmod checks to see that the
requested module is loaded first. It also did a few things to readdir()
and friends to hide files.
I say this was nothing new _to me_. I had written something similar, albeit
for a specific, useful task, almost a year earlier. My toy was a process
destroyer. Any task in an uninterruptable state cannot be killed as it
will not process signals in that state. My tool was a little more
"persuasive" :-) It obviously has it's side effects -- nuking an X app
would freak out the X server and leave all it's windows up. (I built a
tool to take care of that too, but it got lost with a bad hard drive.)
[The AFS cache managers have some satanic deal with their kernel half to
keep them in an uninterrutpable state. That makes it hard to restart
the cache manager :-)]
The kernel module mentioned as tickling my olfactory nerves is of the
same flavor. However, it would destroy all references to a selected
scsi disk. (A far simpler task indeed.)
--Ricky
PS: I hope everyone understands why none of these "toys" were ever published
or even mentioned (until now.)
PPS: That's also why I never published my SCSI disk low-level formater.
(If script kiddies knew how easy it is to destroy a drive, we'd ALL
be in it deap.)
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.rutgers.edu
