[1646] in linux-security and linux-alert archive
[linux-security] Re: Re: Malicious Linux modules
daemon@ATHENA.MIT.EDU (Illuminatus Primus)
Sat Oct 11 04:18:48 1997
Date: Fri, 10 Oct 1997 12:08:11 -0400 (EDT)
From: Illuminatus Primus <vermont@gate.net>
To: "linux-security@redhat.com" <linux-security@redhat.com>
Cc: Peter W <peterw@clark.net>, "bugtraq@netspace.org" <bugtraq@netspace.org>
In-Reply-To: <199710091516.KAA19281@dancer.1stnet.com>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
On Thu, 9 Oct 1997, Runar Jensen wrote:
> In message <199710091142.HAA29040@mail.clark.net>, "Peter W" writes:
>
> Once root access is gained, the module could very well be compiled and placed
> anywhere on the drive (like a home directory), loaded, and _then_ moved to
> /lib/modules. At that point the module will already be invisible to Tripwire.
> (This, of course, assumes that the intruder is smart enough to first get in
> and get root without setting off any alarms. :) I am not sure how Tripwire is
> started after a reboot, but I do believe that the default modules will be
> loaded before it does.
>
>
> .../ru
An easy way to defeat this module is to build a boot&root disk with
uncontaminated binaries, and keep it write protected and away from the
evil hackers. Then, whenever you wanted to check your system, you could
boot from this pristine disk, mount your potentially hacked partitions,
and run tripwire. This would defeat any boot sector, kernel, and userspace
trickery .. something the antivirus people learned a while ago.
I suppose you will need a separate writeable disk to write the checksums
too..
But then, if the hacker breaks into your hardware, you can't trust a boot
disk either :)
-vermont@gate.net , mongoloid programmer
[mod: Against every "attack" there are possible counter attacks. So
please cut out the "but if the module does that, I can use this to
detect it" followed by the inevetable "But then I can make the module
hide from that by adding ...." If you have a site that requires
continued safety from hackers, make sure it is secure from the first
moment it touches the internet, and keep a close watch. Re-install on
the first suspicion. -- REW]
--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null