Re: Kernel-loadable Root Kits

2004-09-24 Thread Peter Pentchev
On Sat, Sep 08, 2001 at 05:43:41AM -0400, Deepak Jain wrote: Short question: Is there a way to prevent the kernel from allowing loadable modules? Run your system in securelevel 1 or higher. See the init(8) manual page and the kern_securelevel_enable and kern_securelevel variables in the

Re: Kernel-loadable Root Kits

2001-09-09 Thread Eugene L. Vorokov
1) scan the sysent table and check syscalls pointers (generally, rootkits intercepts syscalls) This can get really hairy. To scan the syscall table, even if you are 'root' and directly access /dev/mem you will have to use some system calls to open(), read() and seek() into the /dev/mem

Re: Kernel-loadable Root Kits

2001-09-09 Thread Sansonetti Laurent
Hello, 1) scan the sysent table and check syscalls pointers (generally, rootkits intercepts syscalls) This can get really hairy. To scan the syscall table, even if you are 'root' and directly access /dev/mem you will have to use some system calls to open(), read() and seek() into the

Re: Kernel-loadable Root Kits

2001-09-08 Thread Giorgos Keramidas
From: Sansonetti Laurent [EMAIL PROTECTED] Subject: Re: Kernel-loadable Root Kits Date: Sat, Sep 08, 2001 at 04:21:29PM +0200 Hello, Short question: Is there a way to prevent the kernel from allowing loadable modules? Yes, by hacking kldload(2). You can also switch the secure level

Re: Kernel-loadable Root Kits

2001-09-08 Thread Andrew R. Reiter
:Instead of worrying after the module has been loaded it's much safer :to run the kernel in securelevel=1 when modules cannot be loaded :without a reboot to single-user mode. : Not entirely true. They are called kernel bugs... Not the proper url for this, but good enough:

Kernel-loadable Root Kits

2001-09-08 Thread Deepak Jain
Short question: Is there a way to prevent the kernel from allowing loadable modules? Thought process -- --- With the advent of the kernel-loadable root kit, intrusion detection has gotten a bit more complicated. Is there a _simple_ solution to detecting the presence of a kernel-based root

Re: Kernel-loadable Root Kits

2001-09-08 Thread Peter Pentchev
On Sat, Sep 08, 2001 at 05:43:41AM -0400, Deepak Jain wrote: Short question: Is there a way to prevent the kernel from allowing loadable modules? Run your system in securelevel 1 or higher. See the init(8) manual page and the kern_securelevel_enable and kern_securelevel variables in the

Re: Kernel-loadable Root Kits

2001-09-08 Thread Sansonetti Laurent
Hello, Short question: Is there a way to prevent the kernel from allowing loadable modules? Yes, by hacking kldload(2). You can also switch the secure level using sysctl. With the advent of the kernel-loadable root kit, intrusion detection has gotten a bit more complicated. Is there a