Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily

From: devik (devik_at_cdi.cz)
Date: 08/04/03

Next message: Andries.Brouwer_at_cwi.nl: "Re: do_div considered harmful"

Previous message: Gianni Tedesco: "Re: [Q] Question about memory access"
In reply to: bert hubert: "[PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Next in thread: bert hubert: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Reply: bert hubert: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:	Mon, 4 Aug 2003 11:37:57 +0200 (CEST)
To: bert hubert <ahu@ds9a.nl>

> After being gloriously rootkitted with a program coded by HTB author Martin
> Devera (lots of thanks, devik, your work is appreciated, I suggest you read
> up about Oppenheimer when disclaiming that you are 'just a coder'. The item
> to google on is: "ethics sweetness hydrogen bomb Oppenheimer"), I wrote

Hi,

I feel I should react to this publicaly - however all replies should
be send to me privately as it is off-topic.
SucKIT is NOT written by me - I have no time to do such things. One
time I've been rootkited by older suckit. I was able to track the attacker
down (because he drunk much beer before doing the attack).
I started to chat with him because I wanted to know more about security
especially to be able to safe my servers.
Disabling /dev/{,k}mem was part of it. At this time he asked me what I
think about possibility to change syscall table with no previous
knowledge. I replied with test code which is able to locate syscall table
and kmalloc routine address using some statistics on /dev/kmem.
We made article for Phrack magazine which discovered the posibility
and how to defend itself. It was end of the story for me.
Later I find that some other crackers are using/distribute better
SucKIT and that my name is often displayed on start of rootkited system.

I want to say that I'm not affiliated with SucKIT nor with cracking
and rootkiting of servers. I'll try to convince mentioned hacker
to remove my name from the kit as I'm tired of all the complaints :-(

If you feel that I'm source of your problems then I'm sorry for it.

devik

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andries.Brouwer_at_cwi.nl: "Re: do_div considered harmful"

Previous message: Gianni Tedesco: "Re: [Q] Question about memory access"
In reply to: bert hubert: "[PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Next in thread: bert hubert: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Reply: bert hubert: "Re: [PATCH] Allow /dev/{,k}mem to be disabled to prevent kernel from being modified easily"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]