Denying administrative access using a loadable modules
6 Dec. 2000
Summary
After a system has been compromised, attackers sometimes create a new loadable module on the compromised system that can effectively disable all access to the machine.
Credit:
The information has been provided by bELFaghor.
Reconstruction:
In order to disable access to the machine via the network, the attacker just has to disable the network services; this will not be covered in this article.
In order to disable access to the machine via the console/keyboard, you first need to find out which IRQ is assigned the keyboard. Executing the following commands can accomplish this:
# cat /proc/interrupts
0: 397526 timer
1: 8129 keyboard
2: 0 cascade
4: 772 + serial
Then compiling and loading the following module will complete the task of disabling keyboard access (NOTE: In the case that the keyboard IRQ is different from one, see above, you need to change it in the below provided code):
void cleanup_module(void) {
printk("fuck the world i will deny you\n");
}
STOP
# gcc -c ivoluan.c
# insmod ivoluan.o
After the module has been successfully uploaded, no keyboard keystrokes will ever reach the kernel, thus effectively disabling access from the keyboard to the operating system.
NOTE: This is only a temporary solution, since if the administrator reboots the machine the module will not load. To stop the keyboard access completely, you will need to recompile the kernel without keyboard support.
