Since we're talking about security today... > -----Original Message----- > From: ITworld Newsletters [mailto:itwnews@itwpub1.com] > Sent: Tuesday, September 05, 2000 12:13 PM > To: vogell@yahoo.com > Subject: Linux Security -- Rootkit > > > LINUX SECURITY --- September 05, 2000 > Published by ITworld.com, the IT problem-solving network > http://www.itworld.com/newsletters > > ********************************************************************* > HIGHLIGHTS > > * Defending against the rootkit and cleaning up after one has already > crashed the party > * Community Discussion: Is PKI providing strong authentication? > > SERVICES > > * IT Job Spot: Sr. Unix Systems Administrator -- Bedford, MA > * Webcast: Is more bandwidth necessarily better? > > ********************************************************************* > The Dreaded Rootkit > by Rick Johnson > > Just hearing the word "Rootkit" should make you shudder with > a feeling > of uncertainty. It is, by far, any System Administrator's worst > nightmare. Imagine not being able to trust your own installed > programs. > What if every command you executed was lying to you? > > A collection of files that replace existing programs, A rootkit > maliciously hides certain processes or activities and gains > root level > access. Typically, the rootkit includes a sample of the following: > > * A network sniffer for logging passwords > * Replacement binaries to hide the rootkit and its log > files. Those > usually replaced include ps, du, ls, ifconfig, netstat, find, > lsof, and top. > * Programs to remove log entries from wtmp, messages and lastlog. > * Tools to modify timestamp and checksum entries for replacement > binaries. > * Replacements for daemons, such as telnet or ftp, with ones that > contain a backdoor. > * Plus many other assorted goodies! > > Most script kiddies take to using their newly downloaded rootkit with > little or no modification; this gives you a shot at > identifying the one > installed on your system and, therefore, a head start on cleanup. > However, any malicious hacker worthy of the title knows how > to write a > rootkit and already has done so. Of course, there is one > small catch: > They have to break in, get it installed and remain unnoticed. > > If the above already happened, it is usually possible to detect if a > rootkit is installed on your system. For those who have been > following > this newsletter recently, you are aware of checksum and integrity > checking programs' value -- such as Tripwire > (http://www.tripwire.com). > With a clean database of checksums for all your system, you can be > reasonably sure of which files have been the victim of tampering. > > Also available, Rkdet (http://vancouver-webpages.com/rkdet/) > is a daemon > intended to catch someone installing a rootkit or running a packet > sniffer. Designed to run continually with a small footprint under an > innocuous name, when triggered it sends email, appends to a log file, > and disables networking or halts the system. > > Some of you, undoubtedly, are already writing your complaints > about that > reckless author teaching readers about a rootkit. Before you > gather the > mob and light the torches, please remember one important > thing: This is > no secret. Anyone can perform a quick search and have their > hands on a > rootkit within minutes. In fact, I recommend downloading one > to explore > how deeply they can infect a system because a weekly column > cannot cover > the complexity of a rootkit. > > Every system needs protection from this threat and to protect > yourself > against anything, you must first understand it. For example, > how else do > you expect to keep from being shot if you have no grasp of > what a gun is > or how it works? Remember, do not be afraid of the rootkit > you detect, > be afraid of the one you cannot see but know is there. > > > Resources > > Use a honey pot to catch hackers > http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1957,00.html > > Attacking Linux > To stop an attacker, think like a cracker > http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-h > acking.html > > Symantec targets enterprise with desktop firewall > http://www2.itworld.com/cma/ett_article_frame/0,,1_2348.html > > Battling a DDoS attack > http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2338,00.html > > ************************************************************** > ********** > STAY CONNECTED > > Java Security > Educate yourself on current problems in Java security. From > holes in the > Java security model to hostile applets, this newsletter offers > preventative measures and counter-attacks for your Java > security needs. > http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html > > ************************************************************** > ********** > COMMUNITY DISCUSSIONS > > Web Security > Delve into the gory technical details of Web security, debate > community > politics, get help, and share your expertise in this discussion for > security pros of all stripes. > http://forums.itworld.com/webx?14@@.ee6b67b/66!skip=20 > > ************************************************************** > ********** > > About the author > ---------------- > Rick Johnson is currently the Manager of Security Services for > FusionStorm, a remote managed services company. When not writing, he > heads the development team for PMFirewall, an Ipchains Firewall and > Masquerading Configuration Utility for Linux. Rick can be > contacted via > email at rick@pointman.org or on the web at http://www.pointman.org. > > ********************************************************************* > IT JOB SPOT (TM) > > This week's featured job from ITcareers.com: > > MITRE (Bedford, MA) -- Sr. Unix Systems Administrator > > Use every square inch of your brain -- enjoy every last minute of your > day -- when you join MITRE. You're in the driver's seat on multiple > corporate UNIX Oracle servers with on-going responsibility for > scripting and problem solving related to operating system, layered > products, and infrastructure applications. You'll also provide support > on file system management and volume management. Requires flexibility > to work through both scheduled and emergency system downtimes. Got > Solaris? UNIX shell? Perl? Solid systems administration experience a > must. NT a plus. Apply for this job and others at MITRE: > http://ad.doubleclick.net/clk;1673997;4662576;d > > Request your free ITcareers.com white paper about successful online > recruiting techniques from: info@itcareers.com > > ********************************************************************* > ITWORLD.COM SERVICES > > WEBCAST: Size does matter, but is more bandwidth necessarily better? > > Some experts think so. Others disagree and believe that > adding QoS con- > trols to current bandwidth is the "smarter" solution. Now you can take > part in this debate, online during a FREE webcast. This Webcast is > sponsored by IBM and Sitara Networks. Register NOW at: > http://www.itworld.com/itwebcast/nw > > ************************************************************** > ******* > CUSTOMER SERVICE > > You can subscribe or unsubscribe to any of your e-mail newsletters by > updating your form at: > http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html? > > For subscription changes that cannot be handled via the web, > please send > an email to our customer service dept: support@itworld.com > > ********************************************************************* > CONTACTS > > * For editorial comments, write Andrew Santosusso, Associate Editor, > Newsletters at: andrew_santosusso@itworld.com > * For advertising information, write Dan Chupka, Account Executive at: > dan_chupka@itworld.com > * For recruitment advertising information, write Jamie Swartz, Eastern > Regional Sales Manager at: jamie_swartz@itworld.com or Paul Duthie, > Western Regional Sales Manager at: paul_duthie@itworld.com > * For all other inquiries, write Jodie Naze, Product Manager, > Newsletters at: jodie_naze@itworld.com > > ********************************************************************* > > Copyright 2000 ITworld.com, Inc., All Rights Reserved. > > http://www.itworld.com > >