[sf-lug] Hacked RHEL4/PHP4 server

Rick Moen rick at linuxmafia.com
Thu May 22 10:47:22 PDT 2008

Quoting Kristian Erik Hermansen (kristian.hermansen at gmail.com):

> Just realize that even if the system utilities don't appear to be
> trojaned, an attacker could have loaded a malicious kernel module
> which has patched the syscall table and is filtering all requests your
> binaries make...

Yes, of course.  There are standard rootkits that do that.  That's why the
only truly sound way to examine a suspect system is to boot different,
trusted media and mount the system's filesystems without running its
code -- but good luck doing that on a virthost.

More information about the sf-lug mailing list