lkrg-users - [p_lkrg] <Exploit Detection> Someone is trying to execute file: [//////////////]

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Wed, 10 Jun 2020 23:04:35 +0200
From: Mikhail Morfikov <mmorfikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: [p_lkrg] <Exploit Detection> Someone is trying to execute file:
 [//////////////]

I know that the LKRG's UMH blocking feature is supposed to block execution of 
files from paths which aren't whitelisted (when lkrg.umh_validate is set to 
"1"). But what file is it actually blocking when I get bunch of the following 
messages in the log?

kernel: [p_lkrg] <Exploit Detection> !!! BLOCKING UMH !!!
kernel: [p_lkrg] <Exploit Detection> Someone is trying to execute file: [//////////////]
kernel: [p_lkrg] <Exploit Detection> --- . ---

I've seen something like the following:

kernel: [p_lkrg] <Exploit Detection> !!! BLOCKING UMH !!!
kernel: [p_lkrg] <Exploit Detection> Someone is trying to execute file: [/sbin/modprobe]
kernel: [p_lkrg] <Exploit Detection> --- . ---

And in this case the name is displayed, so there's no problem here, but what 
about the "slasher" file?

Also I have question concerning the feature itself -- will it be possible to 
define some custom paths to be included in the whitelist via sysctl?

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.