Is there a good reason why insmod should not call syslog() to log
any module that gets installed ? I know things like bttv get very verbose
in the module itself, and I tried patching insmod to log the first
argument and it seemed to work for me.
I was looking at the knark LKM rootkit and wondering how to detect this
beast. Typically it seemss one does "insmod knark.o" then maybe "insmod
modhide.o" to prevent it showing in /proc/modules (seems to remove the
last loaded module from a linked list if I read it aright). Adding a
syslog call to the insmod binary might get this logged on a remote host
with a bit of luck.
On a more esoteric note, how would one detect that this kind of module
has been installed (modhide) ? I presume one could dive into /dev/mem or
load another module to go look, but I've no idea where to start.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
