On Fri, Jan 11, 2002 at 05:04:53PM +0000, Ricardo B wrote: > He can be loaded as a kernel module and then hide all traces of its > presence in the system, by overriding the proper system calls and > /proc info. Isn't there a way to turn module loading off (a way that > can't be chagend back - without rebooting) ?
Yes, but it won't help you much. I've read some very interesting articles recently about writing directly to /dev/kmem. That allows you to do some fun kernel level stuff without any module support needed at all. This kernel level stuff makes traditional host based intrusion detection really difficult. LIDS helps, but I don't think it's the final solution. Network intrusion detection helps, but it's really difficult to fine-tune something like SNORT to only give you interesting information, especially if you're in a really large network. In these days of kernel-level compromises, a lot of network indruders are only detected when they do something stupid like portscan a box from one of their cracked machines. If they lie low and are smart about covering their tracks, they're likely to go unnoticed for a very long time. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpHzUnFsD0Jt.pgp
Description: PGP signature
