Results 1 to 6 of 6

Thread: kernel modules that hide tracks

  1. #1

    kernel modules that hide tracks

    I am looking for very specialized Linux kernel modules that hide tracks. Such as ones that make a root equivalent user that does not show up in /etc/passwd, /etc/shadow, /etc/groups. Another one that hides directories with things such as 4 .s before it. Also one that would have the ability to hide itself and other modules from lsmod.
    Thanks for any help.

  2. #2
    Member
    Join Date
    Aug 2002
    Posts
    57
    Behold the ultimate backdoor!

    That WAS a joke.

    1. If such a module existed it would have to be visable to other users and modules? Would it not be easier to compile in the support instead of modules. Then there would be no .o files visable, this would also mean that the support couldn't easily be removed. But then again any one could easily by pass this module / kernel support anyway.

    2. One way to prevent things appearing in the config files would be to "manipulate" the source code.

    3. Four .'s still wouldn't hide a directory an experienced person would notice the difference.

    I can't think of module or patch that would do all you requirements. I assume you've already tried to google for the information and one last thing why would you want the module anyway?

  3. #3
    well i want them to fool around with the linux system....i found a module that has the ability to hide other modules....but they are for very specific kernel releases. http://www.hackblaze.org/ has them under the tools section.

    my coding skills are very limited so manipulating source code is out of the question for me.

    if i have a directory called .....toolz and i have a kernel module hiding it, it would take a _lot_ of guess work to find it

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    There exist plenty of rootkits which do all these things.

    Basically what they do is:

    - Hook system calls to:
    1. Prevent the rootkit itself being detected (hiding its .o file, removing itself from lsmod)
    2. Hide named files and/or directories
    3. "Cloak" specific files, making it appear that they have different contents than what they really have. (Typically works by opening an alternative, hidden file).
    For instance, passwd and shadow could show up an alternative hidden version when opened with any process other than (for example) login or sshd, but show the true contents when opened with those programs. Thus a user could be created which would be invisible to most tools but still able to log in (such a modification would leave the system rather confused and unreliable, as "passwd" and "useradd" etc would no longer work properly).

    As far as I'm aware, the kernel authors are looking at options to make it harder to write such rootkits, such as not exporting the address of the system call table from the kernel.

    These changes may happen in 2.6

    However the guys at Phrack seem to keep finding new ways of hooking kernel stuff (for instance modifying the start of a routine instead of the system call pointer)

    Slarty

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Yup, slarty is right..

    there's also a name for these: lkm trojans (loadable kernel module)

    you can check for these with chkrootkit
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    yeah i'll look into these lkm trojans and root kits. gonna do a bit more research. its funny how for every hacker tactic there is an anti tactic and a hacker anti tactic to that

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •