[lfs-support] LFS + Rootkits

loki loki at pancevo.rs
Sun Apr 8 23:40:05 PDT 2012


> > ...and a rootkit was installed.
>
>A very interesting story.  I'm interested how a regular user was able to
>install a rootkit.  I realize that you may not know.

Didn't have the time to analyse that but I presume through privilege 
escalation.
Cause this user had direct access to the running service. Another 
possibility would
be through kernel modules.

> > When I logged in and tried to ls I saw that ls gave me a segmentation
> > fault error. After some more minutes I saw that there are some files
> > that I didn't install.
>
>Can you say what the file names/locations were?

Can't remember anymore. I have it saved somewhere. But one of the tools
I never install is netstat. The changed apps where ls, ps, dir. When I analyse
it I will get back to you.



>May I suggest tripwire.  It does require a bit of work when files are
>updated, but will catch this sort of thing.
>

Am using it but for this server there was no time to install it. Wanted to do
it later but never had the time. Unfortunatly tripwire can't help 
with a kernel module
hack.

For me the only real safeguard is chroot, iptables and no kernel 
modules. For most servers they
aren't needed anyway.

L...





More information about the lfs-support mailing list