Re: [plug] can't delete a file (IMMUTABLE)

Tue, 03 Dec 2002 22:43:54 -0800 

    oohh well... Grsec lids etc.. have diff implementation and how they work and how u 
can Evade them... :)

    Once the user gained root access and once the user try to load a module to bypass 
checks etc... and install some km backdoors etc... it  will ooppsss.... and die hard 
:) = loading a module will not work.

    rick - nice one hehe

"\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"

----- Original Message -----
From: Pong <[EMAIL PROTECTED]>
Date: Wed, 4 Dec 2002 12:13:31 +0800 (PHT) 
To: [EMAIL PROTECTED]
Subject: Re: [plug] can't delete a file (IMMUTABLE)


> 
> 
> On Tue, 3 Dec 2002, vuln- dev wrote:
> >    
> >       This is a very straight forward answer. (too much work to do heh) 
> > you can make a module that loads up during boot sequence that can remove
> > immutable flags etc.. and  it will make chattr useless... (extract the
> >symbol addresses for the FS) 
> > 
> 
> what about preventing a root cracker's loadable module that re-enables or
> bypasses checks to the immutable bit?  then the cracker can then delete
> any file without even using chattr.  you'd also need to protect against
> this type of attack. many folks have done this: LIDS, GRsecurity, etc...  
> 
> pong
> 
> _
> Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
> 
> Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
> 
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
>[EMAIL PROTECTED]
> 

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

One click access to the Top Search Engines
http://www.exactsearchbar.com/mailcom

_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]

Reply via email to