Bugtraq mailing list archives
Re: An alternative method to check LKM backdoor/rootkit
From: Paul Starzetz <paul () starzetz de>
Date: Wed, 17 Apr 2002 15:54:26 +0200
Wang Jian wrote:
THE ALTERNATIVE METHOD Our alternative method uses the first style: to find the differences between the fake view and the real view. We read the raw disk and traverse the filesystem on disk, bypass the live filesystem, and create a real view of files on disk; then traverse the live filesystem to get the fake view. Compare the two view, we can find the differences. We will find the stealth files.
Be sure that this will be fixed in the next 'generation' of LRKM's. Patching the device methods for disk special nodes is not a big deal - why not to incorporate even your code into one of the nice LRKM's? You probably found a weaknes of 'current' LRKM's but in general it is a bad idea to check your machine while running a compromised kernel. /ih
Current thread:
- An alternative method to check LKM backdoor/rootkit Wang Jian (Apr 16)
- Re: An alternative method to check LKM backdoor/rootkit Paul Starzetz (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Florian Weimer (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Karsten W. Rohrbach (Apr 18)
- 答复: An alternative method to check LKM backdoor/rootkit Wang Jian (Apr 18)
- Re: An alternative method to check LKM backdoor/rootkit Florian Weimer (Apr 17)
- <Possible follow-ups>
- RE: An alternative method to check LKM backdoor/rootkit Philippe Bourgeois (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Paul Starzetz (Apr 17)