Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning
From: Arjan van de Ven
Date: Tue Aug 05 2008 - 14:02:47 EST
On Tue, 5 Aug 2008 18:29:44 +0100
Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
> > And this can be done from userland with the preload: the
> > "workaround" from the preload assumes you've already executed
> > malicious code, which is outside of your protection scope.
> >
> > What am I missing?
>
> Scripts
get either opened or exec'd...
(ignoring stdin-fed scripts right now.. but that's a problem regardless)
> Attempts to screen content
can you explain?
> Exec occuring after ld.so is compromised
this is post-compromise scenario; if you have enough root rights to do
that then it's game over.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/