Hosting Provided By

Re: LKM Trojan installed

From: Peter Kirby <peter.ml(at)psychonet.co.uk>
Date: Mon Feb 10 2003 - 15:46:24 EST

From: "Nathan Yocom" <nate@yocom.org>
> If a user was to gain local root priveledges, it is also possible that

Not only off network, but boot from a separate boot disk. There is a popular rootkit in use now that uses two modules. One of them hides as many files/processes as you (well they) want, at the kernel level. The next one hides the last loaded module from the modules list. If used well this rootkit can go undetected moreso than many others since there would be NO outward signs. I can't even remember how I spotted this when it got on one of my boxes. But that was how they hid it. They were a bit rubbish in their choice of files to hide though IIRC.

I was lucky in that I found the whole install folder and script they used to install the kit and could reverse it all without a re-install. But the best advice is to re-install in this kind of event. Received on Tue Feb 11 11:23:17 2003

This message: [ Message body ]
Next message: Michal Luczak (warf): "Re: openSSL Key generation"
Previous message: Toby Miller: "RE: LKM Trojan installed"
In reply to Nathan Yocom: "Re: LKM Trojan installed"
Next in thread: lists(at)rak.radio.cz: "Re: LKM Trojan installed"
Reply: lists(at)rak.radio.cz: "Re: LKM Trojan installed"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:20 EDT