On Wednesday 26 February 2003 15:36, Kai Lien wrote:
> What tools are available to find out these hidden process?
Let me quickly address this question as well...
A loadable kernel module (LKM) allows the attacker to run around in kernel
space and lie however it sees fit to user space programs. Quite simply, they
own your box - it is generally impossible to "see" the hidden programs
because they are truely hidden (no user space commands will let you see them
- even the /proc filesystem is probably lying to you).
Seriously, don't trust the box. Boot off of known good clean media (ie a CDROM
or rescue disk), mount the root partition, and *then* look for the loadable
kernel module in your boot sequence.
-- - Ian C. Blenke <icblenke@nks.net>(This message bound by the following: http://www.nks.net/email_disclaimer.html)
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:52:27 EDT