LINUX SECURITY --- September 05, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
*********************************************************************
HIGHLIGHTS
* Defending against the rootkit and cleaning up after one has already
crashed the party
*********************************************************************
The Dreaded Rootkit
by Rick Johnson
Just hearing the word "Rootkit" should make you shudder with a feeling
of uncertainty. It is, by far, any System Administrator's worst
nightmare. Imagine not being able to trust your own installed programs.
What if every command you executed was lying to you?
A collection of files that replace existing programs, A rootkit
maliciously hides certain processes or activities and gains root level
access. Typically, the rootkit includes a sample of the following:
* A network sniffer for logging passwords
* Replacement binaries to hide the rootkit and its log files. Those
usually replaced include ps, du, ls, ifconfig, netstat, find,
lsof, and top.
* Programs to remove log entries from wtmp, messages and lastlog.
* Tools to modify timestamp and checksum entries for replacement
binaries.
* Replacements for daemons, such as telnet or ftp, with ones that
contain a backdoor.
* Plus many other assorted goodies!
Most script kiddies take to using their newly downloaded rootkit with
little or no modification; this gives you a shot at identifying the one
installed on your system and, therefore, a head start on cleanup.
However, any malicious hacker worthy of the title knows how to write a
rootkit and already has done so. Of course, there is one small catch:
They have to break in, get it installed and remain unnoticed.
If the above already happened, it is usually possible to detect if a
rootkit is installed on your system. For those who have been following
this newsletter recently, you are aware of checksum and integrity
checking programs' value -- such as Tripwire (http://www.tripwire.com).
With a clean database of checksums for all your system, you can be
reasonably sure of which files have been the victim of tampering.
Also available, Rkdet (http://vancouver-webpages.com/rkdet/) is a daemon
intended to catch someone installing a rootkit or running a packet
sniffer. Designed to run continually with a small footprint under an
innocuous name, when triggered it sends email, appends to a log file,
and disables networking or halts the system.
Some of you, undoubtedly, are already writing your complaints about that
reckless author teaching readers about a rootkit. Before you gather the
mob and light the torches, please remember one important thing: This is
no secret. Anyone can perform a quick search and have their hands on a
rootkit within minutes. In fact, I recommend downloading one to explore
how deeply they can infect a system because a weekly column cannot cover
the complexity of a rootkit.
Every system needs protection from this threat and to protect yourself
against anything, you must first understand it. For example, how else do
you expect to keep from being shot if you have no grasp of what a gun is
or how it works? Remember, do not be afraid of the rootkit you detect,
be afraid of the one you cannot see but know is there.
Resources
Use a honey pot to catch hackers
http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1957,00.html
Attacking Linux
To stop an attacker, think like a cracker
http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-hacking.html
Symantec targets enterprise with desktop firewall
http://www2.itworld.com/cma/ett_article_frame/0,,1_2348.html
Battling a DDoS attack
http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2338,00.html
************************************************************************
About the author
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
*********************************************************************
<<attachment: winmail.dat>>