similar to: Design Decision for KVM based anti rootkit

On 16.06.2018 13:49, Ahmed Soliman wrote: > Following up on these threads: > - https://marc.info/?l=kvm&m=151929803301378&w=2 > - http://www.openwall.com/lists/kernel-hardening/2018/02/22/18 > > I lost the original emails so I couldn't reply to them, and also sorry > for being late, it was the end of semester exams. > > I was adviced on #qemu and

Shortly after I sent the first email, we found that there is another way to achieve this kind of communication, via KVM Hypercalls, I think they are underutilised in kvm, but they exist. We also found that they are architecture dependent, but the advantage is that one doesn't need to create QEMU<-> kvm interface So from our point of view it is either have things easily compatible with

Following up on these threads: - https://marc.info/?l=kvm&m=151929803301378&w=2 - http://www.openwall.com/lists/kernel-hardening/2018/02/22/18 I lost the original emails so I couldn't reply to them, and also sorry for being late, it was the end of semester exams. I was adviced on #qemu and #kernelnewbies IRCs to ask here as it will help having better insights. To wrap things up, the

Following up on these threads: - https://marc.info/?l=kvm&m=151929803301378&w=2 - http://www.openwall.com/lists/kernel-hardening/2018/02/22/18 I lost the original emails so I couldn't reply to them, and also sorry for being late, it was the end of semester exams. I was adviced on #qemu and #kernelnewbies IRCs to ask here as it will help having better insights. To wrap things up, the

Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ?What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent

Hi, This is my first set of patches that works as I would expect, and the third revision I sent to mailing lists. Following up with my previous discussions about kernel rootkit mitigation via placing R/O protection on critical data structure, static data, privileged registers with static content. These patches present the first part where it is only possible to place these protections on memory

Hi, This is my first set of patches that works as I would expect, and the third revision I sent to mailing lists. Following up with my previous discussions about kernel rootkit mitigation via placing R/O protection on critical data structure, static data, privileged registers with static content. These patches present the first part where it is only possible to place these protections on memory

Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" This is not altered Wine.. or even used... but it happens just pure straight up compile from source Wine even if its never been ran.... its finding them in the fakedlls folder. I have not tried on Linux, only on Mac OS X, using the

Here is change log from V3 To V4: - Fixing spelling/grammar mistakes suggested by Randy Dunlap - Changing the hypercall interface to be able to process multiple pages per one hypercall also suggested by Randy Dunlap. It turns out that this will save lots of vmexist/memory slot flushes when protecting many pages. [PATCH RFC V4 1/3] KVM: X86: Memory ROE documentation [PATCH RFC V4 2/3] KVM:

----- Mensagem encaminhada ---- De: Ricardo A. Reis <ricardo_bsd@yahoo.com.br> Para: security@freebsd.org Enviadas: Sexta-feira, 3 de Novembro de 2006 10:54:14 Assunto: FreeBSD and the new virtual machine-based rootkits Hi All, Recently i participated in Brazil on October 2006 The FIRST/TRANSITS and II Latin American Incident Response Conference (COLARIS). In the II COLARIS - Joanna

If the attacker could get a shell, the attacker could have used this local root exploit to get the necessary privileges to install the rootkit. One reason why there seem to be few RHEL reports is that RHEL5 is not that widely available yet but lots of vulnerable Fedora/Debian installations are available.

Hi, there is a remote (VPS) Centos 4.2 server which *may* have been compromised. Reinstalling everything from scratch isn't a problem, it may even be an occasion to improve a few things, the question is another. There are backups of necessary shell script, ASCII configuration files and more or less important email (maildir format, if it matters) including messages with binary attachments in

Hello everyone, I hope you are having a good day. However, I am concerned by this: https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 Has anyone heard yet what the attack vector is, if 5.9 and 6.4 are affected, and if a patch is coming out? Thanks! Gilbert ******************************************************************************* Gilbert Sebenste

I rebuilt rkhunter-1.2.8-1.noarch.rpm by using the spec and tgz from the rkhunter site (www.rootkit.nl). (I rebuilt it using his instructions.) However rkhunter does not do an md5 check. The box used to have fedora and each time there were updates it would complain that the some of the md5's don't match. I contacted the author using his contact feature on Wednesday but he hasn't

Does anybody know of these samba packages? http://ftp.cvut.cz/samba/samba-latest.tar.gz AFAICS they are faked and contain some kind of rootkit (you can see this in the history below. the server this history is from is taken offline for security reasons, and nobody is there till 7th Jan I can't give you more details) > 144 w > 145 cat /etc/issue > 146 uname -a > 147

Hello, I found this lurking around the web, and thought people who are running SSH-1.2.27 might be interested. -- Kevin Sindhu <kevin at tgivan dot com> Systems Engineer TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Avenue Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. -------------- next part -------------- Welcome Root Kit SSH distribution v5.0 (by Zelea) This

Hello, when one has physical access to a computer, he can run something like tripwire, with keys and checksum on a separate, write-only media, to verify the integrity of the system. What if the system is a remote one (in my case Centos 4.3 on a User Mode Linux VPS some hundred of KMs from here)? Does it still make sense to run tripwire remotely? If yes, how, since you cannot plug a floppy or

I am trying to get JPilot working. I have configed gnome-pilot-applet, but it is not talking to the USB connected Treo650. My Treo has my name as the user, so from the applet, I see also a userid (my UID on this system it seems). I try to put that on the Treo and nothing happens. I have enabled the Backup Conduit. I am using /dev/pilot, which shows up when my Treo is connected via its USB

Here is the applicable article: http://www.linux.com/feature/125548 There are links in the above article that explain tests for the system and what is currently known about the rootkit. Apparently initial access is NOT via any vulnerability but just guessed root passwords. There are currently 2 methods to see if you are infected: 1. In some cases, the root kit causes you to not be able to

I've a line like this that creates /dev/pilot link in my local udev rules: BUS="usb", SYSFS{product}="Palm Handheld*", KERNEL="ttyUSB*[13579]", SYMLINK="pilot" And it seems to work fine for doing normal sync operation to Gnome Palm applet (well, not sure about that KERNEL parameter, however ttyUSB0 and ttyUSB1 look exactly the same, no other way to