Date: Thu, 11 Jun 2020 19:50:34 +0200 From: Adam Zabrocki <pi3@....com.pl> To: lkrg-users@...ts.openwall.com Subject: Re: [p_lkrg] <Exploit Detection> Someone is trying to execute file: [//////////////] On Thu, Jun 11, 2020 at 07:26:19PM +0200, Mikhail Morfikov wrote: > On 11/06/2020 19:01, Adam Zabrocki wrote: > > On Wed, Jun 10, 2020 at 11:04:35PM +0200, Mikhail Morfikov wrote: > >> I know that the LKRG's UMH blocking feature is supposed to block execution of > >> files from paths which aren't whitelisted (when lkrg.umh_validate is set to > >> "1"). But what file is it actually blocking when I get bunch of the following > >> messages in the log? > >> > >> kernel: [p_lkrg] <Exploit Detection> !!! BLOCKING UMH !!! > >> kernel: [p_lkrg] <Exploit Detection> Someone is trying to execute file: [//////////////] > >> kernel: [p_lkrg] <Exploit Detection> --- . --- > > > > When LKRG blocks execution it overwrites original path with slash chars. If you > > see that in the log, it means someone is executing something through UMH which > > was already previoussly blocked. You can't restore what was blocked. > > So how to determine what path would that be, because I don't really know what > causes it, and if I had the file name, then it would be easier to figure it out > what's going on. > You should have in the log the first attempt of execution which is printing the original name before it is overwritten > >> > >> I've seen something like the following: > >> > >> kernel: [p_lkrg] <Exploit Detection> !!! BLOCKING UMH !!! > >> kernel: [p_lkrg] <Exploit Detection> Someone is trying to execute file: [/sbin/modprobe] > >> kernel: [p_lkrg] <Exploit Detection> --- . --- > >> > >> And in this case the name is displayed, so there's no problem here, but what > >> about the "slasher" file? > >> > >> Also I have question concerning the feature itself -- will it be possible to > >> define some custom paths to be included in the whitelist via sysctl? > >> > > > > For now, we only support hardcoded whitelist. You can easily add your own path > > to the LKRG source code. Also list is evolving and we adding / removing some > > entires. > > > > Btw. modprobe is whitelisted. > I know, but I've set it to block UMH altogether for testing purposes. > > > > Thanks, > > Adam > > > > -- pi3 (pi3ki31ny) - pi3 (at) itsec pl http://pi3.com.pl
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.