On Thu, Apr 30, 2009 at 1:37 PM, Holden Hao <[email protected]> wrote: > Can you try if "rpm -V coreutils" returns anything? I am interested to know > if the hacker was clever enough to alter the md5sums of the RPM database.
hi holden, kernel based rootkit (eg. LKM rootkit) is much stronger and stealthy compare to application based rootkit... unlike with application based rootkit where the code inserted in the application... they moved and inserted the code to the kernel land... thus much stronger and stealthy... the one we saw with Cupid's problem is an LKM rootkit where it overrides the system call of the kernel (based on the strace output that we saw)... LKMs are used for: 1. device drivers 2. filesystem drivers 3. system calls 4. network drivers 5. tty line disciplines 6. executable interpreters it uses number 3 to attached its code... aside from application, kernel, library, firmware, and other rootkits... there is recently found a bios rootkits (part of firmware rootkit) which can survive even if you reinstall or reformat your compromise server... http://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/ therefore.. expect a more powerful and hybrid rootkits to come with a combination of those rootkits that i mentioned... fooler. + there is no such thing as 100% bullet proof security system... only layers of defense... always be prepared when time comes.. _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
