[lfs-support] LFS + Rootkits

loki loki at pancevo.rs
Sun Apr 8 23:40:05 PDT 2012

> > ...and a rootkit was installed.
>A very interesting story.  I'm interested how a regular user was able to
>install a rootkit.  I realize that you may not know.

Didn't have the time to analyse that but I presume through privilege 
Cause this user had direct access to the running service. Another 
possibility would
be through kernel modules.

> > When I logged in and tried to ls I saw that ls gave me a segmentation
> > fault error. After some more minutes I saw that there are some files
> > that I didn't install.
>Can you say what the file names/locations were?

Can't remember anymore. I have it saved somewhere. But one of the tools
I never install is netstat. The changed apps where ls, ps, dir. When I analyse
it I will get back to you.

>May I suggest tripwire.  It does require a bit of work when files are
>updated, but will catch this sort of thing.

Am using it but for this server there was no time to install it. Wanted to do
it later but never had the time. Unfortunatly tripwire can't help 
with a kernel module

For me the only real safeguard is chroot, iptables and no kernel 
modules. For most servers they
aren't needed anyway.


More information about the lfs-support mailing list