September 26th, 2003, 02:53 AM
kernel modules that hide tracks
I am looking for very specialized Linux kernel modules that hide tracks. Such as ones that make a root equivalent user that does not show up in /etc/passwd, /etc/shadow, /etc/groups. Another one that hides directories with things such as 4 .s before it. Also one that would have the ability to hide itself and other modules from lsmod.
Thanks for any help.
September 26th, 2003, 03:18 AM
Behold the ultimate backdoor!
That WAS a joke.
1. If such a module existed it would have to be visable to other users and modules? Would it not be easier to compile in the support instead of modules. Then there would be no .o files visable, this would also mean that the support couldn't easily be removed. But then again any one could easily by pass this module / kernel support anyway.
2. One way to prevent things appearing in the config files would be to "manipulate" the source code.
3. Four .'s still wouldn't hide a directory an experienced person would notice the difference.
I can't think of module or patch that would do all you requirements. I assume you've already tried to google for the information and one last thing why would you want the module anyway?
September 26th, 2003, 04:17 AM
well i want them to fool around with the linux system....i found a module that has the ability to hide other modules....but they are for very specific kernel releases. http://www.hackblaze.org/ has them under the tools section.
my coding skills are very limited so manipulating source code is out of the question for me.
if i have a directory called .....toolz and i have a kernel module hiding it, it would take a _lot_ of guess work to find it
September 26th, 2003, 10:51 AM
There exist plenty of rootkits which do all these things.
Basically what they do is:
- Hook system calls to:
1. Prevent the rootkit itself being detected (hiding its .o file, removing itself from lsmod)
2. Hide named files and/or directories
3. "Cloak" specific files, making it appear that they have different contents than what they really have. (Typically works by opening an alternative, hidden file).
For instance, passwd and shadow could show up an alternative hidden version when opened with any process other than (for example) login or sshd, but show the true contents when opened with those programs. Thus a user could be created which would be invisible to most tools but still able to log in (such a modification would leave the system rather confused and unreliable, as "passwd" and "useradd" etc would no longer work properly).
As far as I'm aware, the kernel authors are looking at options to make it harder to write such rootkits, such as not exporting the address of the system call table from the kernel.
These changes may happen in 2.6
However the guys at Phrack seem to keep finding new ways of hooking kernel stuff (for instance modifying the start of a routine instead of the system call pointer)
September 26th, 2003, 01:10 PM
Yup, slarty is right..
there's also a name for these: lkm trojans (loadable kernel module)
you can check for these with chkrootkit
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
September 26th, 2003, 03:29 PM
yeah i'll look into these lkm trojans and root kits. gonna do a bit more research. its funny how for every hacker tactic there is an anti tactic and a hacker anti tactic to that