2001-04-06 00:59:09

by Andrew Daviel

[permalink] [raw]
Subject: syslog insmod please!


Is there a good reason why insmod should not call syslog() to log
any module that gets installed ? I know things like bttv get very verbose
in the module itself, and I tried patching insmod to log the first
argument and it seemed to work for me.

I was looking at the knark LKM rootkit and wondering how to detect this
beast. Typically it seemss one does "insmod knark.o" then maybe "insmod
modhide.o" to prevent it showing in /proc/modules (seems to remove the
last loaded module from a linked list if I read it aright). Adding a
syslog call to the insmod binary might get this logged on a remote host
with a bit of luck.

On a more esoteric note, how would one detect that this kind of module
has been installed (modhide) ? I presume one could dive into /dev/mem or
load another module to go look, but I've no idea where to start.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
[email protected]


2001-04-06 01:47:46

by Ion Badulescu

[permalink] [raw]
Subject: Re: syslog insmod please!

On Thu, 5 Apr 2001 17:57:48 -0700 (PDT), Andrew Daviel <[email protected]> wrote:

> Is there a good reason why insmod should not call syslog() to log
> any module that gets installed ?

Simple: you'll have quite a bit of a problem if you are trying to insmod
the module with support for AF_UNIX sockets. :-)

Ion

--
It is better to keep your mouth shut and be thought a fool,
than to open it and remove all doubt.

2001-04-06 04:44:07

by Andreas Dilger

[permalink] [raw]
Subject: Re: syslog insmod please!

Ion writes:
> Andrew Daviel <[email protected]> wrote:
> > Is there a good reason why insmod should not call syslog() to log
> > any module that gets installed ?
>
> Simple: you'll have quite a bit of a problem if you are trying to insmod
> the module with support for AF_UNIX sockets. :-)

Why do it from user space? Simply add a printk() to sys_init_module() or
similar. Granted, this will only help until the lusers install a patched
sysklog before installing a backdoor module, but so would the user-space
solution. At least the kernel message will stay in kernel memory until
it is flushed out with more messages (which itself might be detectable).

Cheers, Andreas
--
Andreas Dilger \ "If a man ate a pound of pasta and a pound of antipasto,
\ would they cancel out, leaving him still hungry?"
http://www-mddsp.enel.ucalgary.ca/People/adilger/ -- Dogbert

2001-04-06 04:52:38

by Ion Badulescu

[permalink] [raw]
Subject: Re: syslog insmod please!

On Thu, 5 Apr 2001, Andreas Dilger wrote:

> Why do it from user space? Simply add a printk() to sys_init_module() or
> similar.

Agreed, but at that point the solution has absolutely nothing to do with
insmod anymore. :-)

Besides, as you said, I don't really see the point. It certainly doesn't
help with logging the actions of an attacker, and on the other hand kmod
already logs its own actions.

Ion

--
It is better to keep your mouth shut and be thought a fool,
than to open it and remove all doubt.

2001-04-06 11:38:45

by Mr. James W. Laferriere

[permalink] [raw]
Subject: Re: syslog insmod please!


Hello Ion ,

On Thu, 5 Apr 2001, Ion Badulescu wrote:
> On Thu, 5 Apr 2001, Andreas Dilger wrote:
> > Why do it from user space? Simply add a printk() to sys_init_module() or
> > similar.
> Agreed, but at that point the solution has absolutely nothing to do with
> insmod anymore. :-)

> Besides, as you said, I don't really see the point. It certainly doesn't
> help with logging the actions of an attacker, and on the other hand kmod
> already logs its own actions.
Not the problem being discussed , This is a user now root &
having gained root is now attempting to from the command line
to load a module . How do we get this event recorded ? kmod
only works when the user calles for the service & then it loads
it . Tia , JimL
+----------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | 25416 22nd So | Give me Linux |
| [email protected] | DesMoines WA 98198 | only on AXP |
+----------------------------------------------------------------+

2001-04-06 11:54:45

by David Woodhouse

[permalink] [raw]
Subject: Re: syslog insmod please!


[email protected] said:
> Is there a good reason why insmod should not call syslog() to log any
> module that gets installed ? I know things like bttv get very verbose
> in the module itself, and I tried patching insmod to log the first
> argument and it seemed to work for me.

Consider "insmod unix.o".

I'm not wonderfully impressed with the way that you can't load the FPU
emulation module on ARM at the moment without having some form of FPU
emulation in your kernel already, either :)

--
dwmw2


2001-04-06 12:51:52

by Phil Blundell

[permalink] [raw]
Subject: Re: syslog insmod please!

>I'm not wonderfully impressed with the way that you can't load the FPU
>emulation module on ARM at the moment without having some form of FPU
>emulation in your kernel already, either :)

Floating point on ARM is indeed something of a crock, but that particular case
used to work -- can you tell where it's going wrong? See entry-armv.S,
about line 680, for the very bad hack that was supposed to facilitate this
kind of thing.

p.

2001-04-06 14:05:07

by Wichert Akkerman

[permalink] [raw]
Subject: Re: syslog insmod please!

In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
Mr. James W. Laferriere <[email protected]> wrote:
> Not the problem being discussed , This is a user now root &
> having gained root is now attempting to from the command line
> to load a module . How do we get this event recorded ?

Recent versions of modutils (2.4.3 and later iirc) log that info
in /var/log/ksymoops

Wichert.


--
________________________________________________________________
/ Generally uninteresting signature - ignore at your convenience \
| [email protected] http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |

2001-04-06 14:44:58

by Mr. James W. Laferriere

[permalink] [raw]
Subject: Re: syslog insmod please!


Hello Wichert ,

On 6 Apr 2001, Wichert Akkerman wrote:
> In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> Mr. James W. Laferriere <[email protected]> wrote:
> > Not the problem being discussed , This is a user now root &
> > having gained root is now attempting to from the command line
> > to load a module . How do we get this event recorded ?
> Recent versions of modutils (2.4.3 and later iirc) log that info
> in /var/log/ksymoops
Thank you . Does anyone know why this information is being put
into /var/log/ksymoops ? If anything I'd have used a differant
filename . Tia , JimL

+----------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | 25416 22nd So | Give me Linux |
| [email protected] | DesMoines WA 98198 | only on AXP |
+----------------------------------------------------------------+

2001-04-06 14:56:42

by Artur Frysiak

[permalink] [raw]
Subject: Re: syslog insmod please!

On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote:
>
> Hello Wichert ,
>
> On 6 Apr 2001, Wichert Akkerman wrote:
> > In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> > Mr. James W. Laferriere <[email protected]> wrote:
> > > Not the problem being discussed , This is a user now root &
> > > having gained root is now attempting to from the command line
> > > to load a module . How do we get this event recorded ?
> > Recent versions of modutils (2.4.3 and later iirc) log that info
> > in /var/log/ksymoops

But r00tkit may have own version of insmod.

Regards
--
Artur Frysiak
Click and Buy Sp. z o.o.
tel. (071) 327-95-00 wew. 67
tel. GSM (0606) 506-414

2001-04-06 15:10:23

by Mr. James W. Laferriere

[permalink] [raw]
Subject: Re: syslog insmod please!

Hello Wichert ,
On Fri, 6 Apr 2001, Artur Frysiak wrote:
> On Fri, Apr 06, 2001 at 07:43:29AM -0700, Mr. James W. Laferriere wrote:
> > On 6 Apr 2001, Wichert Akkerman wrote:
> > > In article <Pine.LNX.4.32.0104060429500.17426-100000@filesrv1.baby-dragons.com>,
> > > Mr. James W. Laferriere <[email protected]> wrote:
> > > > Not the problem being discussed , This is a user now root &
> > > > having gained root is now attempting to from the command line
> > > > to load a module . How do we get this event recorded ?
> > > Recent versions of modutils (2.4.3 and later iirc) log that info
> > > in /var/log/ksymoops

> But r00tkit may have own version of insmod.
OK , There are no special features accorded to /var/log/ksymoops
than to any other file . Unless otherwise configured .
Am I that mistaken ? I hope not . Tia , JimL

+----------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | 25416 22nd So | Give me Linux |
| [email protected] | DesMoines WA 98198 | only on AXP |
+----------------------------------------------------------------+

2001-04-06 17:53:39

by Andrew Daviel

[permalink] [raw]
Subject: Re: syslog insmod please!

On Fri, 6 Apr 2001, various people (Ion, David, James) wrote:
>Recent versions of modutils .. log to .. /var/log/ksymoops
>kmod only works when the user calles for the service ..
>consider unix.o

I'm still using 2.2 kernel where unix.o isn't a module and
/var/log/ksymoops doesn't exist, so I suppose that my original suggestion
would work there, no ?

In the usual game of catchup I guess that if RedHat issued a patch to
insmod for RH6 then indeed insmod would be included in r+ootkits.
Currently lr+k4,5 etc. can be detected by tripwire or my rkdet since they
change ls, ps & netstat, but k+nark can't. I haven't seen it in a r+ootkit
yet but it's only a matter of time.

I presume /var/log/ksymoops is local only (unless you take steps to copy
it remotely) ?

rkdet works on the basis of "I don't care how you got in, but
you mess with /bin/ps and I'll panic the firewall". (of course, if
an intruder finds it running under an identifiable name they can kill it)
I'd like to extend this to LKM based cloaking schemes.
I'd looked at LIDS in the past but don't want to patch the kernel.
Besides, I'm not sure whether LIDS module locking allows lkm to run
to load "good" modules like iso9660 on demand.
Loading modules is OK; I can use an unpredictable name to hide it from
scripts & kids.

Again, is there any way to detect a module such as k+nark if someone has
edited it out of the module list (by moving the "next" pointer) ?


("r*kit" mungled to foil search engines - maybe)
--
Andrew Daviel, TRIUMF, Canada
[email protected]

2001-04-07 08:29:16

by Russell King

[permalink] [raw]
Subject: Re: syslog insmod please!

On Fri, Apr 06, 2001 at 01:50:29PM +0100, Philip Blundell wrote:
> Floating point on ARM is indeed something of a crock, but that particular case
> used to work -- can you tell where it's going wrong? See entry-armv.S,
> about line 680, for the very bad hack that was supposed to facilitate this
> kind of thing.

I've already discussed this issue with David on irc, and I resolved it a
few kernel versions ago (read my 2.4 release notes on the web site).

--
Russell King ([email protected]) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html