Thread: [Rkhunter-users] Stealthy Linux rootkit found in the wild after going undetected for 2 years
Brought to you by:
dogsbody
Menu
▾
▴
rkhunter-users
|
From: Brent C. <bre...@gm...> - 2023-12-10 20:18:01
|
Good day Guys I came across this https://arstechnica.com/security/2023/12/stealthy-linux-rootkit-found-in-the-wild-after-going-undetected-for-2-years/ Does rkhunter can detect / scan for Diamorphine Suterusu Rooty Regards Brent |
|
From: John D. <jwa...@gm...> - 2024-02-06 05:13:08
|
Hi Guys, I just found time to think about rkhunter again, & realise the last update via fedora was for, Version : 1.4.6 Release : 22.fc39 Build Date : Sat 22 Jul 2023 03:14:29 Did we make any progress on transition? & particularly was there any answer to the question below? Cheers John On Sun, 2023-12-10 at 22:17 +0200, Brent Clark wrote: > Good day Guys > > I came across this > > https://arstechnica.com/security/2023/12/stealthy-linux-rootkit-found-in-the-wild-after-going-undetected-for-2-years/ > > Does rkhunter can detect / scan for > > Diamorphine > Suterusu > Rooty > > Regards > Brent > > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users |
|
From: John H. <joh...@pl...> - 2024-02-06 21:25:38
|
On Tue, 2024-02-06 at 16:12 +1100, John Dodson wrote: > Hi Guys, > I just found time to think about rkhunter again, & realise the last update > via fedora was for, > > Version : 1.4.6 > Release : 22.fc39 > Build Date : Sat 22 Jul 2023 03:14:29 > > Did we make any progress on transition? > & particularly was there any answer to the question below? > From the 1.4.6 changelog: Added the 'Diamorphine LKM' test. John. > Cheers > > John > > > On Sun, 2023-12-10 at 22:17 +0200, Brent Clark wrote: > > Good day Guys > > > > I came across this > > > > https://arstechnica.com/security/2023/12/stealthy-linux-rootkit-found-in-the-wild-after-going-undetected-for-2-years/ > > > > Does rkhunter can detect / scan for > > > > Diamorphine > > Suterusu > > Rooty > > > > Regards > > Brent > > > > > > > > _______________________________________________ > > Rkhunter-users mailing list > > Rkh...@li... > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK ________________________________ [https://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. |
|
From: Michael L. <mic...@gm...> - 2024-02-06 12:06:42
|
- The rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in order to hide its activities and evade detection. This should theoretically change the hash of the "kill" command leading to detection as a generic rootkit. The link you shared shows that this rootkit is a kernel module. Rkhunter does not check kernel modules by default but this would be a great feature. Thank you, Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Sun, Dec 10, 2023 at 3:23 PM Brent Clark <bre...@gm...> wrote: > Good day Guys > > I came across this > > > https://arstechnica.com/security/2023/12/stealthy-linux-rootkit-found-in-the-wild-after-going-undetected-for-2-years/ > > Does rkhunter can detect / scan for > > Diamorphine > Suterusu > Rooty > > Regards > Brent > > > > _______________________________________________ > Rkhunter-users mailing list > Rkh...@li... > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > |
Thanks for helping keep SourceForge clean.
X