SecurityFocus

Exploit or trojan Dec 12 2003 02:09PM
Darren Young (darren_young yahoo com) (2 replies)

Re: Exploit or trojan Dec 16 2003 12:33AM
Felipe Franciosi (ozzybugt terra com br) (1 replies)

Re: Exploit or trojan Dec 17 2003 07:32PM
Konrad Rieck (kr roqe org) (1 replies)

Re: Exploit or trojan Dec 18 2003 01:56PM
Felipe Franciosi (ozzybugt terra com br) (2 replies)

Re: Exploit or trojan Dec 19 2003 03:16PM
Steve Bremer (steveb nebcoinc com)

Re: Exploit or trojan Dec 19 2003 02:36PM
dav (dav r00tworld com)

Felipe Franciosi [ozzybugt (at) terra.com (dot) br [email concealed]] a écrit:
> > Oops.
> >
> > Such kind of kernel backdoors (e.g. loadable kernel modules) are also
> > present for Solaris, *BSD and Windows systems. If you are unsure whether
> > someone has compromised your system, don't trust the system's kernel!
>
> Yeah you are right! I was just reading about coding solaris kernel
> modules. It is pretty easy, actually. Anyone can find a lot of
> documents on google.
>
> A little addition here: Some Linux backdoors (Suckit, for example)
> doesn't work as a kernel module. It just opens /dev/kmem and patch
> it on the fly. It is still detectable, though, trought some imple-
> mentation flaws or checking mechanisms that verify the kernel
> syscall table integrity.

For solaris systems, you can look at papillon kernel module. This module
try to make same than gr-security for linux kernel...
I'm using it on production servers, and I've no trouble to report after
one year.

http://www.roqe.org/papillon/

dav.

--
PGP: http://www.r00tworld.com/~dav/dav.gpg

[ reply ]

RE: Exploit or trojan Dec 13 2003 03:52AM
Gordon Ewasiuk (gordon ewasiuk verizon net)