[sf-lug] Hacked RHEL4/PHP4 server
rick at linuxmafia.com
Thu May 22 10:47:22 PDT 2008
Quoting Kristian Erik Hermansen (kristian.hermansen at gmail.com):
> Just realize that even if the system utilities don't appear to be
> trojaned, an attacker could have loaded a malicious kernel module
> which has patched the syscall table and is filtering all requests your
> binaries make...
Yes, of course. There are standard rootkits that do that. That's why the
only truly sound way to examine a suspect system is to boot different,
trusted media and mount the system's filesystems without running its
code -- but good luck doing that on a virthost.
More information about the sf-lug