On Mon, 26 Jul 2004 23:38, [EMAIL PROTECTED] wrote: > > > I have a machine that has been the unfortunate victime of SuckIT > > > r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking > > > of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks > > > X and some gdb functions, but does anyone know any other specific > > > problems this might have? > > > > Some boot loaders need to access /dev/mem or /dev/kmem for getting BIOS > > data. Once your machine is in a bootable state you should not need > > /dev/k?mem for that. > > but isn't that just read-only?
Yes. But if you can read /dev/mem then you can probably find a copy of /etc/shadow and other useful stuff in there... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
