On Fri, Jan 11, 2002 at 05:04:53PM +0000, Ricardo B wrote:
> He can be loaded as a kernel module and then hide all traces of its
> presence in the system, by overriding the proper system calls and
> /proc info.  Isn't there a way to turn module loading off (a way that
> can't be chagend back - without rebooting) ?

Yes, but it won't help you much.  I've read some very interesting
articles recently about writing directly to /dev/kmem.  That allows you
to do some fun kernel level stuff without any module support needed at
all.

This kernel level stuff makes traditional host based intrusion detection
really difficult.  LIDS helps, but I don't think it's the final
solution.  Network intrusion detection helps, but it's really difficult
to fine-tune something like SNORT to only give you interesting
information, especially if you're in a really large network.

In these days of kernel-level compromises, a lot of network indruders
are only detected when they do something stupid like portscan a box from
one of their cracked machines.  If they lie low and are smart about
covering their tracks, they're likely to go unnoticed for a very long
time.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpHzUnFsD0Jt.pgp
Description: PGP signature

Reply via email to