[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <40320cb5-8c6f-6d99-e8d3-e68de157605b@gmail.com>
Date: Wed, 10 Jun 2020 23:04:35 +0200
From: Mikhail Morfikov <mmorfikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: [p_lkrg] <Exploit Detection> Someone is trying to execute file:
[//////////////]
I know that the LKRG's UMH blocking feature is supposed to block execution of
files from paths which aren't whitelisted (when lkrg.umh_validate is set to
"1"). But what file is it actually blocking when I get bunch of the following
messages in the log?
kernel: [p_lkrg] <Exploit Detection> !!! BLOCKING UMH !!!
kernel: [p_lkrg] <Exploit Detection> Someone is trying to execute file: [//////////////]
kernel: [p_lkrg] <Exploit Detection> --- . ---
I've seen something like the following:
kernel: [p_lkrg] <Exploit Detection> !!! BLOCKING UMH !!!
kernel: [p_lkrg] <Exploit Detection> Someone is trying to execute file: [/sbin/modprobe]
kernel: [p_lkrg] <Exploit Detection> --- . ---
And in this case the name is displayed, so there's no problem here, but what
about the "slasher" file?
Also I have question concerning the feature itself -- will it be possible to
define some custom paths to be included in the whitelist via sysctl?
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
