One thing about all of this that matters is the following:
It's not about how secure your system is.
It's about how smart/well equipped/patient the attacker needs to be
*once they have already broken into your system*.
I recently had one of my machines broken into, but the service in
question was not running as root, and the attacker wasn't able to find
any privilege-escalation bugs on my system. I found a whole
collection of attempted security violations in a directory in /tmp,
and a daemon (called "bind" -- not "named") had been installed to get
access to my system again. Needless to say, I cleaned that stuff up,
and also got a close look at the rootkit.
Since my machine hadn't succumbed to the rootkit, it seems the
attacker had simply moved on. Most of these kinds of attacks are
actually automated these days, unless you're a high-value site for
them.
The kernel module, and/or replacing common user tools like ps, are
usually about trying to hide the existence of whatever
intrusion-installed software there is. It really helps more on
"springboard" site than sites that are the genuine attack targets.
-hpa
-- <hpa@transmeta.com> at work, <hpa@zytor.com> in private! "Unix gives you enough rope to shoot yourself in the foot." http://www.zytor.com/~hpa/puzzle.txt <amsp@zytor.com> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/