[25121] in bugtraq
Re: An alternative method to check LKM backdoor/rootkit
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Wed Apr 17 20:39:35 2002
Message-ID: <3CBD7E92.7010600@starzetz.de>
Date: Wed, 17 Apr 2002 15:54:26 +0200
From: Paul Starzetz <paul@starzetz.de>
MIME-Version: 1.0
To: Wang Jian <lark@marsec.net>, bugtraq@securityfocus.com
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: 7bit
Wang Jian wrote:
>THE ALTERNATIVE METHOD
>
>Our alternative method uses the first style: to find the differences
>between the fake view and the real view.
>
>We read the raw disk and traverse the filesystem on disk, bypass the
>live filesystem, and create a real view of files on disk; then traverse
>the live filesystem to get the fake view. Compare the two view, we can
>find the differences. We will find the stealth files.
>
Be sure that this will be fixed in the next 'generation' of LRKM's.
Patching the device methods for disk special nodes is not a big deal -
why not to incorporate even your code into one of the nice LRKM's? You
probably found a weaknes of 'current' LRKM's but in general it is a bad
idea to check your machine while running a compromised kernel.
/ih
