Bugtraq mailing list archives
RE: An alternative method to check LKM backdoor/rootkit
From: "Philippe Bourgeois" <Philippe.Bourgeois () cert-ist com>
Date: Wed, 17 Apr 2002 10:40:25 +0200
Wang Jian wrote :
Our alternative method uses the first style: to find the differences between the fake view and the real view.
[...]
We read the raw disk and traverse the filesystem on disk, bypass the live filesystem, and create a real view of files on disk; then traverse the live filesystem to get the fake view. Compare the two view, we can find the differences. We will find the stealth files.
For your information, I wrote the same kind of tool some time ago. It works fine for my needs, and found all the LKM I tested, as far as files are hidden (I mean, if the LKM doesn't hide any file, "ancheck" doesn't find it). I definitly think that the "Find the differences between the two views" approach is a very good approach to detect LKM. I called my tool "ancheck" (alternate ncheck) because it works more or less like the UNIX "ncheck" command (ncheck exists on most UNIX systems, but not on Linux) : http://www.cert-ist.com/francais/outils/ancheck03.tar.Z http://www.cert-ist.com/francais/outils/ancheck03.tar.Z.sig Ancheck is a set of 2 UNIX commands ("ls_hidden" and "ancheck") designed to locate hidden or deleted files. It works on UFS (Solaris) and EXT2 (Linux) file systems. You need TCT (the Coroner's Toolkit)to compile the package. TCT can be downloaded from : http://www.porcupine.org/tct http://www.fish.com/tct/ Philippe Bourgeois Cert-IST
Current thread:
- An alternative method to check LKM backdoor/rootkit Wang Jian (Apr 16)
- Re: An alternative method to check LKM backdoor/rootkit Paul Starzetz (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Florian Weimer (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Karsten W. Rohrbach (Apr 18)
- 答复: An alternative method to check LKM backdoor/rootkit Wang Jian (Apr 18)
- Re: An alternative method to check LKM backdoor/rootkit Florian Weimer (Apr 17)
- <Possible follow-ups>
- RE: An alternative method to check LKM backdoor/rootkit Philippe Bourgeois (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Paul Starzetz (Apr 17)