[olug] lkm problems

Sean Kelly smkelly at zombie.org
Wed Oct 6 17:01:05 UTC 2004


On Wed, Oct 06, 2004 at 11:53:18AM -0500, Daniel Linder wrote:
> A system I had the pleasure *cough* to clean up after a root kit hack had
> installed its own copies of ps, ls, and find.  When it saw me doing a ls
> of different directories, it automatically removed the ones it was using
> to hide its files.

The cool ones come with kernel modules that hide their existence at the
kernel level, not letting you kill them and hiding various aspects of them.
I've seen example FreeBSD modules for this.

> The way I got around it was to use the "echo *" command ... not pretty
> when trying to view files, but it works. :)

...assuming your shell isn't replaced along with ps, ls, and everything
else. Chances are that it was on a more complex solution.

-- 
Sean Kelly         | PGP KeyID: D2E5E296
smkelly at zombie.org | http://www.zombie.org



More information about the OLUG mailing list