Em 19-02-2014 11:19, Dmitrij D. Czarkoff escreveu: > > Putting something into LD_PRELOAD is nowhere near hiding it, if not > completely opposite. > > 1. Any competent system administrator will be watching out his > environment. > > 2. The actual assignment should happen somewhere in a fairly limited set > of files (~/.profile, ~/.kshrc or several locations in /etc). Basic > mtree check defeats such "hiding". In fact for files in /etc root > will even receive a pretty mail message the night addition happens. > > 3. echo $LD_PRELOAD > > That's not to mention that unless someone logs in as root (which is > discouraged in favor of sudo), he isn't affected by root's LD_PRELOAD. > > So again: there's not much useful things you can do with this trick. You > can do some nasty things, but whoever has access to root will be aware > of your actions very soon. Given that you already assume that you raised > your privilege to root, basicly with your LD_PRELOAD trick you are > limited to the subset of things you can already do for the similar > period of time, which means that if you actually spend some time on > tempering with LD_PRELOAD, you just wasted this time. > Oh my, it appears you did not read what I wrote, again. I'll not keep feeding this, but I'll just say that these modern rootkits, even the one mentioned by the OP, do some pretty nasty things to avoid detection. They hook open() so if you try to read some of the files you mentioned, it won't appear on them. It would be as the file was not tampered with. They can work for the entire system, not just for the root user. I personally think that a rootkit using LD_PRELOAD is just lazy. But this is my opinion, which do not mean that I can't discuss the possibility of a rootkit using it, which is exactly what we were doing.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
