Does anyone know whether the following can be trusted?

[Nadav Har'El]

On Mon, Sep 20, 2010, Omer Zak wrote about "Does anyone know whether the following can be trusted?":
> There is an exploit of 64-bit Linux kernel, which leaves behind a
> backdoor usable even after the kernel has been patched.
> 
> To check whether your PC is infected, the diagnose-2010-3081 tool can be
> used (see https://www.ksplice.com/uptrack/cve-2010-3081.ssi.xhtml for
> links to binary and to source).

Can you please point us to the source of these statements?

Often, the issue of *vulnerability* and *backdoor* are orthogonal.
I.e., Once a vulnerability is known (in this case, an old 32-bit-compatibility
bug which somehow resurfaced recentl), someone might break into your machine
(or in this case, he would have to break-in first as any user, and this
vulnerability will give him root access). *Then*, he can install whatever
kind of backdoor, zombie, rootkit, or whatever he wants on your system.

There is no way to "diagnose" whether your PC was ever broken into using
a specific vulnerability - the only thing you can do is to look for a
specific backdoor or rootkit or whatever installed. But someone might have
used the same vulnerability and installed a completely different backdoor!

So even if that tool tests for a specific backdoor installed by some
specific demo "exploit", or one specific worm (and I don't know if it does),
don't be surprised if numerous other crackers are using the same
vulnerability together with completely different backdoors or rootkits.

-- 
Nadav Har'El                        |      Monday, Sep 20 2010, 12 Tishri 5771
nyh at math.technion.ac.il             |-----------------------------------------
Phone +972-523-790466, ICQ 13349191 |When everything's coming your way, you're
http://nadav.harel.org.il           |in the wrong lane.