LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-29-2005, 05:24 PM   #1
shubb
Member
 
Registered: Oct 2003
Location: San Francisco
Distribution: Slackware 13.37
Posts: 150

Rep: Reputation: 16
Preventing kernel module (rootkits) from loading


I recently found out that my linux box was hacked, and the suckit rootkit was installed. In my research about suckit, I found a page that had a suggestion as a short term fix:
Quote:
add the following line to /etc/rc.d/rc.local

sysctl -w kernel.modprobe=/rubbish

This prevents kernel modules loading and hence stops the LKM (Linux Kernel Module) type rootkits from getting loaded.
My question is, what is the effect that this does on the linux box?
Is this a recommended thing to do?
Is this something that a hacker can undo once they are in the server?
 
Old 11-29-2005, 06:26 PM   #2
jailbait
Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Wheezy, Debian Jessie
Posts: 7,502

Rep: Reputation: 162Reputation: 162
" In my research about suckit, I found a page that had a suggestion as a short term fix:"

Could you post a link to the page where you found the information about suckit?

------------------------------
Steve Stites
 
Old 11-29-2005, 07:25 PM   #3
shubb
Member
 
Registered: Oct 2003
Location: San Francisco
Distribution: Slackware 13.37
Posts: 150

Original Poster
Rep: Reputation: 16
Here's the html version of the powerpoint show.

http://66.102.7.104/search?q=cache:6...dentReport.ppt
 
Old 11-29-2005, 07:30 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You could likely bypass that by manually changing the sysctl setting in /proc. There are better ways to prevent modules from being loaded, including compiling all your modules into the kernel and then disabling dynamic loading of modules. Of course that requires a kernel recompilation and knowing what modules you'll need ahead of time. There are also a number of tools like carbonite that are usefull in defeating obfuscation with lkms.

That being said, suckit isn't an lkm rootkit. It works by writing to /dev/kmem. See the article "Linux on-the-fly kernel patching without LKM" in Phrack issue 58.
 
Old 11-29-2005, 07:36 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by shubb
Here's the html version of the powerpoint show.
They should stick to doing particle physics

If your system was hacked, I hope that you've done a format and re-installed the system from scratch. Technically you can remove suckit, however you don't know what else has been done to your system and the only way you can trust the system and be sure it's reasonably free of other backdoors, trojans, and viruses is to do a full re-install from trusted media
 
Old 12-01-2005, 07:44 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
My question is, what is the effect that this does on the linux box?
The effect is that any and all tools that will *only* look for a path using this /proc entry will not find the binary. If /sbin is in the path they'll find it. Else they could piggy-back their module onto another one. Else they could introduce a custom modutils package.


Is this a recommended thing to do?
No, because of the above. If you take away the CAP_SYS_MODULE capability not even the root account user will be able to load modules. Look for 'lcap' (system-wide) or the GRSecurity kernel patch (more granular control over a cornucopia of things). I don't know if taking away capabilities is in the LSM framework.


Is this something that a hacker can undo once they are in the server?
Only if they're able to elevate their privileges to a point where they can do something useful.


That being said, suckit isn't an lkm rootkit. It works by writing to /dev/kmem.
Again the GRSecurity kernel patch will help by denying writing to /dev/kmem. Note this might break some applications on Desktops though.


do a full re-install from trusted media
I second that, and if you didn't disconnect the box from the 'net I would urge you to do so now. Before you re-install, have a quick look at possible means of entry (services *and* user accounts) and save your authentication databases and logfiles for later perusal. After you've re-installed please make sure you choose different passwords for all accounts and harden the box before you put it back on the 'net. Please check out the LQ FAQ: Security references for that.
 
Old 12-01-2005, 09:46 PM   #7
shubb
Member
 
Registered: Oct 2003
Location: San Francisco
Distribution: Slackware 13.37
Posts: 150

Original Poster
Rep: Reputation: 16
Yes, I re-installed the OS onto a new hard drive (kept the old one for data recovery and research into the rootkit.)

Another question. While I was in the box after finding out it was compromised, I saw that my server was talking to an IP address in Austria (I'm guessing the hacker). It was just periodic packets (a couple a second) on a high up port numbers using tcp. It wasnt fast enough to be an ssh or telnet session, maybe just hello packets letting the server know it was still online. My question is, would you recommend trying to contact the ISP to tell them about the hacking of my server? Would they even try to do anything? Do they care that their people are hacking?
 
Old 12-06-2005, 07:48 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
My question is, would you recommend trying to contact the ISP to tell them about the hacking of my server? Would they even try to do anything? Do they care that their people are hacking?
As a formality: yes, but don't expect anything. In any case the box could be just an intermediate.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Preventing Module cdc_acm From Loading fortezza Linux - Newbie 1 07-10-2005 02:09 AM
How do i stop a kernel module loading? The_JinJ Linux - Newbie 1 03-13-2005 03:33 PM
Kernel module not loading at boot tweak1313 Fedora 2 12-04-2004 04:17 PM
Kernel module loading problem Suren Linux - Hardware 5 08-03-2004 06:29 AM
kernel 2.5.65 and module loading m0rl0ck Linux - Software 4 03-21-2003 01:18 AM


All times are GMT -5. The time now is 03:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration