Hi, On Tue, Aug 30, 2011 at 11:53:12AM +0200, Clément Lecigne wrote: > > What do you want? It's just a basic rootkit that hooks some specific > entries inside the sysent table. It can be detected by checking if a > device /dev/turtle2dev exists or by sending an ICMP echo request with > a payload starting with a double '_' and if rootkit is loaded no reply > will be returned. > > [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 > HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes > [main] memlockall(): No such file or directory > Warning: can't disable memory paging! > > --- 127.0.0.1 hping statistic --- > 1 packets tramitted, 0 packets received, 100% packet loss > > These tricks can be implemented inside rkhunter or/and chkrootkit. >
It's implemented since rkhunter 1.4.0 [1], and now security/rkhunter port
version [2]
is able to detect it during the check scan:
% sudo rkhunter --version | head -1
Rootkit Hunter 1.4.0
% sudo rkhunter --list rootkits | grep -i turtle2
trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire,
% sudo rkhunter --check --sk
...
Turtle Rootkit [ Not found ]
Btw, the best way to avoid such rootkit is to use sysctl kern.securelevel in
order to avoid untrusted kernel modules loading at runtime (but can be bypassed
at
boot time...)
Regards
[1]
http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG?revision=1.226&view=markup
[2] http://docs.freebsd.org/cgi/getmsg.cgi?fetch=471258+0+current/cvs-all
--
Sofian Brabez
pgpSxe8rZgi5r.pgp
Description: PGP signature
