[lug] What does this mean?
Sebastian Sobolewski ( Zeb )
spsobole at mindless.com
Tue Mar 21 09:39:23 MST 2000
"rootkit" refers to a package of tools/cracks and Trojans used to break
into your machine. (AKA get root access) They're typically used by
"script kiddies" (hacker/cracker wanabees) Basically some good cracker
figured out how to gain root access to a computer by getting around
security or through a broken/insecure program and then created a script
that allows any jerk that knows where to find it an easy way to break into
some ones computer.
If you are not running any security packages like tripwire or even
an nightly md5 package check I would be very weary of the state of that
computer. If the cracker was any good they would have covered their tracks
once they gained access. The first thing to do is check your .bin /sbin
/usr/bin and /usr/sbin directories for things that look out of place.. like
programs with weird looking creation dates. Double check: ps, top, ls, su,
login, in.telnetd, in.ftpd since these are the most likely to have been
swapped for hacked versions with backdoors.
The most common attack is to change the above apps to ones that
have a backdoor password that let's the cracker back in if he wants to. ps
and top are also usually replaced with versions that "hide" programs that
the cracker doesn't want you to see running. (like a smurf or DoS attack
script that's running in the background)
Check to make sure your /root/.history file is not pointing to
/dev/null
Also double check your hosts.allow/hosts.deny files in the /etc
directories to make sure no weird IP have been added to the allow list.
Another thing to look for is "mystery" modules loaded into the
kernel. You can use modprobe to list currently running modules.
If you find anything from the list above chances are your computer
has been rooted. In general if you suspect of someone successfully breaking
into your system a reinstall is almost always a must.
-Sebastian
At 12:41 AM 3/21/00 , you wrote:
>What exactly is a rootkit?
>
>
> > ** Original Subject: RE: [lug] What does this mean?
> > ** Original Sender: Tkil <tkil at scrye.com>
> > ** Original Date: Tue, 21 Mar 2000 00:34:12 -0700
>
> > ** Original Message follows...
More information about the LUG
mailing list