Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S271690AbTHDJjX (ORCPT ); Mon, 4 Aug 2003 05:39:23 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S271700AbTHDJjX (ORCPT ); Mon, 4 Aug 2003 05:39:23 -0400 Received: from inway106.cdi.cz ([213.151.81.106]:31213 "EHLO luxik.cdi.cz") by vger.kernel.org with ESMTP id S271690AbTHDJjV (ORCPT ); Mon, 4 Aug 2003 05:39:21 -0400 Date: Mon, 4 Aug 2003 11:37:57 +0200 (CEST) From: devik X-X-Sender: To: bert hubert cc: , Subject: Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily In-Reply-To: <20030803180950.GA11575@outpost.ds9a.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1808 Lines: 37 > After being gloriously rootkitted with a program coded by HTB author Martin > Devera (lots of thanks, devik, your work is appreciated, I suggest you read > up about Oppenheimer when disclaiming that you are 'just a coder'. The item > to google on is: "ethics sweetness hydrogen bomb Oppenheimer"), I wrote Hi, I feel I should react to this publicaly - however all replies should be send to me privately as it is off-topic. SucKIT is NOT written by me - I have no time to do such things. One time I've been rootkited by older suckit. I was able to track the attacker down (because he drunk much beer before doing the attack). I started to chat with him because I wanted to know more about security especially to be able to safe my servers. Disabling /dev/{,k}mem was part of it. At this time he asked me what I think about possibility to change syscall table with no previous knowledge. I replied with test code which is able to locate syscall table and kmalloc routine address using some statistics on /dev/kmem. We made article for Phrack magazine which discovered the posibility and how to defend itself. It was end of the story for me. Later I find that some other crackers are using/distribute better SucKIT and that my name is often displayed on start of rootkited system. I want to say that I'm not affiliated with SucKIT nor with cracking and rootkiting of servers. I'll try to convince mentioned hacker to remove my name from the kit as I'm tired of all the complaints :-( If you feel that I'm source of your problems then I'm sorry for it. devik - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/