From owner-freebsd-hackers Fri Jul 30 13:39:21 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from janus.syracuse.net (janus.syracuse.net [205.232.47.15]) by hub.freebsd.org (Postfix) with ESMTP id 2343314C58 for ; Fri, 30 Jul 1999 13:39:17 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost) by janus.syracuse.net (8.9.3/8.8.7) with ESMTP id QAA09522; Fri, 30 Jul 1999 16:39:02 -0400 (EDT) X-Authentication-Warning: janus.syracuse.net: green owned process doing -bs Date: Fri, 30 Jul 1999 16:39:01 -0400 (EDT) From: "Brian F. Feldman" X-Sender: green@janus.syracuse.net To: Matthew Dillon Cc: "Jordan K. Hubbard" , hackers@FreeBSD.org Subject: Re: So, back on the topic of enabling bpf in GENERIC... In-Reply-To: <199907302037.NAA94153@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 30 Jul 1999, Matthew Dillon wrote: > : But even if you turn off the bpf device, you still have /dev/mem and > : /dev/kmem to worry about. For that matter, the intruder can still write > : raw devices. Also, there is another kernel feature called kldload(8). > > BTW, I wrote this section because a hacker actually installed the bpf > device via the module loader during one of the root compromises at BEST, > a year or two ago. He had gotten it from a hackers cookbook of exploits > which he convieniently left on-disk long enough for our daily backups to > catch it :-). Want to post the ocde for it? It would be interesting to see how that was done! > > -Matt > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___ green@FreeBSD.org _ __ ___ | _ ) __| \ FreeBSD: The Power to Serve! _ __ | _ \._ \ |) | http://www.FreeBSD.org/ _ |___/___/___/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message