Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00)
From: "Svartholm Warg, Gottfrid" <wilson () F8LABS COM>
Date: Sat, 4 Nov 2000 09:48:30 -0800

The advisory wasn't about detecting LKMs :-), but it's still an
interesting matter.
As I explained in the advisory, the proc()-vs-kill hack compares the
kernel's process table against /proc, and prints any abnormalities.
This CAN be used to detect LKMs, as long as they don't hook/spoof kill(),
and as long as there is any hidden processes. I don't know if ADORE does
this, Knark does not (at least in the version I've checked). Try hiding
some processes via the module (I do not know how this is done via
ADORE) and running it again.
What rkscan does is that it bruteforces the modules' magic words/numbers
used to check for activation, get root etc, so of course it does not
detect ManTrap...

//wilson


  By Date           By Thread  

Current thread:
  • Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Svartholm Warg, Gottfrid (Nov 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault