On Tue, 27 May 2003 at 11:58:21PM -0500, Jayson Vantuyl wrote: > He appears to modify the kernel image in memory via /dev/kmem (a > next-generation LKM attack). I've considered removing /dev/kmem (does > anything use it?) but I don't know about any side effects (and it > doesn't prevent him mknod'ing it). It appears he actually has some sort > of kernel-level TTY logger *AND* a kernel-hack to hide files and > processes. The only comfort in this is that some of our kernels are > apparently so exotic that his meddling crashes the machine during the > break-in (instead of leaving a more compromized system). In general, > all of the rootkits are the same flavor (and seem unrelated to the LKM > stuff).
Assuming he has rooted the box removing /dev/kmem won't do any good as he can merely recreate it using mknod(1). -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #163: RPC_PMAP_FAILURE
