On Sat, May 2, 2009 at 9:30 AM, fooler mail <[email protected]> wrote: > On Thu, Apr 30, 2009 at 1:37 PM, Holden Hao <[email protected]> wrote: >> Can you try if "rpm -V coreutils" returns anything? I am interested to know >> if the hacker was clever enough to alter the md5sums of the RPM database. > > hi holden, > > kernel based rootkit (eg. LKM rootkit) is much stronger and stealthy > compare to application based rootkit... unlike with application based > rootkit where the code inserted in the application... they moved and > inserted the code to the kernel land... thus much stronger and > stealthy...
So the application mkdir in the system is the real one but it is not the one that is being executed but a "function" called from the kernel itself? So the hacker installed his own kernel. It is a sophisticated hack. A thorough security audit is a must. > aside from application, kernel, library, firmware, and other > rootkits... there is recently found a bios rootkits (part of firmware > rootkit) which can survive even if you reinstall or reformat your > compromise server... > > http://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/ Very interesting and scary! Holden _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
