[lug] What does this mean?

Sebastian Sobolewski ( Zeb ) spsobole at mindless.com
Tue Mar 21 09:39:23 MST 2000 

"rootkit" refers to a package of tools/cracks and Trojans used to break 
into your machine.  (AKA get root access)  They're typically used by 
"script kiddies" (hacker/cracker wanabees) Basically some good cracker 
figured out how to gain root access to a computer by getting around 
security or through a broken/insecure program and then created a script 
that allows any jerk that knows where to find it an easy way to break into 
some ones computer.

         If you are not running any security packages like tripwire or even 
an nightly md5 package check I would be very weary of the state of that 
computer.  If the cracker was any good they would have covered their tracks 
once they gained access.  The first thing to do is check your .bin /sbin 
/usr/bin and /usr/sbin directories for things that look out of place.. like 
programs with weird looking creation dates.  Double check: ps, top, ls, su, 
login, in.telnetd, in.ftpd since these are the most likely to have been 
swapped for hacked versions with backdoors.

         The most common attack is to change the above apps to ones that 
have a backdoor password that let's the cracker back in if he wants to.  ps 
and top are also usually replaced with versions that "hide" programs that 
the cracker doesn't want you to see running.  (like a smurf or DoS attack 
script that's running in the background)

         Check to make sure your /root/.history file is not pointing to 
/dev/null

         Also double check your hosts.allow/hosts.deny files in the /etc 
directories to make sure no weird IP have been added to the allow list.

         Another thing to look for is "mystery" modules loaded into the 
kernel.  You can use modprobe to list currently running modules.


         If you find anything from the list above chances are your computer 
has been rooted. In general if you suspect of someone successfully breaking 
into your system a reinstall is almost always a must.


-Sebastian


At 12:41 AM 3/21/00 , you wrote:
>What exactly is a rootkit?
>
>
> > ** Original Subject: RE: [lug] What does this mean?
> > ** Original Sender: Tkil <tkil at scrye.com>
> > ** Original Date: Tue, 21 Mar 2000 00:34:12 -0700
>
> > ** Original Message follows...

More information about the LUG mailing list