[lfs-support] LFS + Rootkits

Bruce Dubbs bruce.dubbs at gmail.com
Mon Apr 9 09:44:31 PDT 2012


loki wrote:
>>> ...and a rootkit was installed.
>> A very interesting story.  I'm interested how a regular user was able to
>> install a rootkit.  I realize that you may not know.
> 
> Didn't have the time to analyse that but I presume through privilege 
> escalation.
> Cause this user had direct access to the running service. Another 
> possibility would
> be through kernel modules.
> 
>>> When I logged in and tried to ls I saw that ls gave me a segmentation
>>> fault error. After some more minutes I saw that there are some files
>>> that I didn't install.
>> Can you say what the file names/locations were?
> 
> Can't remember anymore. I have it saved somewhere. But one of the tools
> I never install is netstat. The changed apps where ls, ps, dir. When I analyse
> it I will get back to you.

Yes, I've seen where corrupted versions of those do not display the 
hacker's files or processes.  One way to get around a corrupted ls is to 
use `echo *`.

>> May I suggest tripwire.  It does require a bit of work when files are
>> updated, but will catch this sort of thing.

> Am using it but for this server there was no time to install it. Wanted to do
> it later but never had the time. Unfortunatly tripwire can't help 
> with a kernel module hack.

It can check if a .ko file has changed in any way.

> For me the only real safeguard is chroot, iptables and no kernel 
> modules. For most servers they aren't needed anyway.

Exactly.

   -- Bruce




More information about the lfs-support mailing list