[Shorewall-users] Re: [leaf-user] SucKIT root-kit

Joey Officer jofficer at wi.rr.com
Tue Dec 2 19:57:09 PST 2003

At face value, and without (intending to) sounding like a moron, Shorewall
can block anything you tell it not to explicitly allow.  Isn't that the
default way its currently being used?



----- Original Message ----- 
From: "Mike Noyes" <mhnoyes at users.sourceforge.net>
To: "Shorewall Users" <shorewall-users at lists.shorewall.net>
Cc: "leaf-user" <leaf-user at lists.sourceforge.net>
Sent: Tuesday, December 02, 2003 10:38 AM
Subject: [leaf-user] SucKIT root-kit

> Tom,
> Is Shorewall capable of blocking/logging/detecting the spoofed packet
> SucKIT uses?
> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html
>     SucKIT is a root-kit presented in Phrack issue 58, article 0x07
>     ("Linux on-the-fly kernel patching without LKM", by sd & devik).
>     This is a fully working root-kit that is loaded through /dev/kmem,
>     i.e. it does not need a kernel with support for loadable kernel
>     modules.  It provides a password protected remote access
>     connect-back shell initiated by a spoofed packet (bypassing most
>     firewall configurations), and can hide processes, files and
>     connections.
> -- 
> Mike Noyes <mhnoyes at users.sourceforge.net>
> http://sourceforge.net/users/mhnoyes/
> SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN's Audience Survey.
> Help shape OSDN's sites and tell us what you think. Take this
> five minute survey and you could win a $250 Gift Certificate.
> http://www.wrgsurveys.com/2003/osdntech03.php?site=8
> ------------------------------------------------------------------------
> leaf-user mailing list: leaf-user at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

More information about the Shorewall-users mailing list