Is there a good reason why insmod should not call syslog() to log
any module that gets installed ? I know things like bttv get very verbose
in the module itself, and I tried patching insmod to log the first
argument and it seemed to work for me.
I was looking at the knark LKM rootkit and wondering how to detect this
beast. Typically it seemss one does "insmod knark.o" then maybe "insmod
modhide.o" to prevent it showing in /proc/modules (seems to remove the
last loaded module from a linked list if I read it aright). Adding a
syslog call to the insmod binary might get this logged on a remote host
with a bit of luck.
On a more esoteric note, how would one detect that this kind of module
has been installed (modhide) ? I presume one could dive into /dev/mem or
load another module to go look, but I've no idea where to start.
-- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security@triumf.ca- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Apr 07 2001 - 21:00:17 EST