| 1 |
On Tuesday 15 May 2007, Dan Farrell <dan@×××××××××.cx> wrote about 'Re: |
| 2 |
[gentoo-user] Managing my kernel': |
| 3 |
> On Tue, 15 May 2007 09:21:17 +0200 |
| 4 |
> Etaoin Shrdlu <shrdlu@×××××××××××××.org> wrote: |
| 5 |
> > On Tuesday 15 May 2007 03:57, Dan Farrell wrote: |
| 6 |
> > > On Tue, 15 May 2007 12:33:22 +1200 |
| 7 |
> > > Mark Kirkwood <markir@××××××××××××.nz> wrote: |
| 8 |
> > > > 2/ disables loadable modules completely |
| 9 |
> > > |
| 10 |
> > > But Why? What's the benefit? |
| 11 |
> > |
| 12 |
> > [S]ome rootkits |
| 13 |
> > use LKMs, and removing loadable modules support might help to prevent |
| 14 |
> > such attacks. |
| 15 |
> |
| 16 |
> I'd never heard of LKM rootkits, although the |
| 17 |
> concept is I suppose a good one, as far as defeating security goes. I |
| 18 |
> must say I'm not going to start worrying about it, but point taken |
| 19 |
|
| 20 |
The (GPL'd) rootkit I was able to look at didn't even use LKMs, it simply |
| 21 |
patched the kernel live via /proc/kcore. The version I saw probably |
| 22 |
wouldn't work anymore, but LKMs aren't the only way a rootkit can take |
| 23 |
hold. |
| 24 |
|
| 25 |
-- |
| 26 |
Boyd Stephen Smith Jr. ,= ,-_-. =. |
| 27 |
bss03@××××××××××.net ((_/)o o(\_)) |
| 28 |
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' |
| 29 |
http://iguanasuicide.org/ \_/ |
Archives