[lfs-support] LFS + Rootkits
bruce.dubbs at gmail.com
Mon Apr 9 09:44:31 PDT 2012
>>> ...and a rootkit was installed.
>> A very interesting story. I'm interested how a regular user was able to
>> install a rootkit. I realize that you may not know.
> Didn't have the time to analyse that but I presume through privilege
> Cause this user had direct access to the running service. Another
> possibility would
> be through kernel modules.
>>> When I logged in and tried to ls I saw that ls gave me a segmentation
>>> fault error. After some more minutes I saw that there are some files
>>> that I didn't install.
>> Can you say what the file names/locations were?
> Can't remember anymore. I have it saved somewhere. But one of the tools
> I never install is netstat. The changed apps where ls, ps, dir. When I analyse
> it I will get back to you.
Yes, I've seen where corrupted versions of those do not display the
hacker's files or processes. One way to get around a corrupted ls is to
use `echo *`.
>> May I suggest tripwire. It does require a bit of work when files are
>> updated, but will catch this sort of thing.
> Am using it but for this server there was no time to install it. Wanted to do
> it later but never had the time. Unfortunatly tripwire can't help
> with a kernel module hack.
It can check if a .ko file has changed in any way.
> For me the only real safeguard is chroot, iptables and no kernel
> modules. For most servers they aren't needed anyway.
More information about the lfs-support