Since we're talking about security today...
> -----Original Message-----
> From: ITworld Newsletters [mailto:itwnews@itwpub1.com]
> Sent: Tuesday, September 05, 2000 12:13 PM
> To: vogell@yahoo.com
> Subject: Linux Security -- Rootkit
>
>
> LINUX SECURITY --- September 05, 2000
> Published by ITworld.com, the IT problem-solving network
> http://www.itworld.com/newsletters
>
> *********************************************************************
> HIGHLIGHTS
>
> * Defending against the rootkit and cleaning up after one has already
> crashed the party
> * Community Discussion: Is PKI providing strong authentication?
>
> SERVICES
>
> * IT Job Spot: Sr. Unix Systems Administrator -- Bedford, MA
> * Webcast: Is more bandwidth necessarily better?
>
> *********************************************************************
> The Dreaded Rootkit
> by Rick Johnson
>
> Just hearing the word "Rootkit" should make you shudder with
> a feeling
> of uncertainty. It is, by far, any System Administrator's worst
> nightmare. Imagine not being able to trust your own installed
> programs.
> What if every command you executed was lying to you?
>
> A collection of files that replace existing programs, A rootkit
> maliciously hides certain processes or activities and gains
> root level
> access. Typically, the rootkit includes a sample of the following:
>
> * A network sniffer for logging passwords
> * Replacement binaries to hide the rootkit and its log
> files. Those
> usually replaced include ps, du, ls, ifconfig, netstat, find,
> lsof, and top.
> * Programs to remove log entries from wtmp, messages and lastlog.
> * Tools to modify timestamp and checksum entries for replacement
> binaries.
> * Replacements for daemons, such as telnet or ftp, with ones that
> contain a backdoor.
> * Plus many other assorted goodies!
>
> Most script kiddies take to using their newly downloaded rootkit with
> little or no modification; this gives you a shot at
> identifying the one
> installed on your system and, therefore, a head start on cleanup.
> However, any malicious hacker worthy of the title knows how
> to write a
> rootkit and already has done so. Of course, there is one
> small catch:
> They have to break in, get it installed and remain unnoticed.
>
> If the above already happened, it is usually possible to detect if a
> rootkit is installed on your system. For those who have been
> following
> this newsletter recently, you are aware of checksum and integrity
> checking programs' value -- such as Tripwire
> (http://www.tripwire.com).
> With a clean database of checksums for all your system, you can be
> reasonably sure of which files have been the victim of tampering.
>
> Also available, Rkdet (http://vancouver-webpages.com/rkdet/)
> is a daemon
> intended to catch someone installing a rootkit or running a packet
> sniffer. Designed to run continually with a small footprint under an
> innocuous name, when triggered it sends email, appends to a log file,
> and disables networking or halts the system.
>
> Some of you, undoubtedly, are already writing your complaints
> about that
> reckless author teaching readers about a rootkit. Before you
> gather the
> mob and light the torches, please remember one important
> thing: This is
> no secret. Anyone can perform a quick search and have their
> hands on a
> rootkit within minutes. In fact, I recommend downloading one
> to explore
> how deeply they can infect a system because a weekly column
> cannot cover
> the complexity of a rootkit.
>
> Every system needs protection from this threat and to protect
> yourself
> against anything, you must first understand it. For example,
> how else do
> you expect to keep from being shot if you have no grasp of
> what a gun is
> or how it works? Remember, do not be afraid of the rootkit
> you detect,
> be afraid of the one you cannot see but know is there.
>
>
> Resources
>
> Use a honey pot to catch hackers
> http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1957,00.html
>
> Attacking Linux
> To stop an attacker, think like a cracker
> http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-h
> acking.html
>
> Symantec targets enterprise with desktop firewall
> http://www2.itworld.com/cma/ett_article_frame/0,,1_2348.html
>
> Battling a DDoS attack
> http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2338,00.html
>
> **************************************************************
> **********
> STAY CONNECTED
>
> Java Security
> Educate yourself on current problems in Java security. From
> holes in the
> Java security model to hostile applets, this newsletter offers
> preventative measures and counter-attacks for your Java
> security needs.
> http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html
>
> **************************************************************
> **********
> COMMUNITY DISCUSSIONS
>
> Web Security
> Delve into the gory technical details of Web security, debate
> community
> politics, get help, and share your expertise in this discussion for
> security pros of all stripes.
> http://forums.itworld.com/webx?14@@.ee6b67b/66!skip=20
>
> **************************************************************
> **********
>
> About the author
> ----------------
> Rick Johnson is currently the Manager of Security Services for
> FusionStorm, a remote managed services company. When not writing, he
> heads the development team for PMFirewall, an Ipchains Firewall and
> Masquerading Configuration Utility for Linux. Rick can be
> contacted via
> email at rick@pointman.org or on the web at http://www.pointman.org.
>
> *********************************************************************
> IT JOB SPOT (TM)
>
> This week's featured job from ITcareers.com:
>
> MITRE (Bedford, MA) -- Sr. Unix Systems Administrator
>
> Use every square inch of your brain -- enjoy every last minute of your
> day -- when you join MITRE. You're in the driver's seat on multiple
> corporate UNIX Oracle servers with on-going responsibility for
> scripting and problem solving related to operating system, layered
> products, and infrastructure applications. You'll also provide support
> on file system management and volume management. Requires flexibility
> to work through both scheduled and emergency system downtimes. Got
> Solaris? UNIX shell? Perl? Solid systems administration experience a
> must. NT a plus. Apply for this job and others at MITRE:
> http://ad.doubleclick.net/clk;1673997;4662576;d
>
> Request your free ITcareers.com white paper about successful online
> recruiting techniques from: info@itcareers.com
>
> *********************************************************************
> ITWORLD.COM SERVICES
>
> WEBCAST: Size does matter, but is more bandwidth necessarily better?
>
> Some experts think so. Others disagree and believe that
> adding QoS con-
> trols to current bandwidth is the "smarter" solution. Now you can take
> part in this debate, online during a FREE webcast. This Webcast is
> sponsored by IBM and Sitara Networks. Register NOW at:
> http://www.itworld.com/itwebcast/nw
>
> **************************************************************
> *******
> CUSTOMER SERVICE
>
> You can subscribe or unsubscribe to any of your e-mail newsletters by
> updating your form at:
> http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?
>
> For subscription changes that cannot be handled via the web,
> please send
> an email to our customer service dept: support@itworld.com
>
> *********************************************************************
> CONTACTS
>
> * For editorial comments, write Andrew Santosusso, Associate Editor,
> Newsletters at: andrew_santosusso@itworld.com
> * For advertising information, write Dan Chupka, Account Executive at:
> dan_chupka@itworld.com
> * For recruitment advertising information, write Jamie Swartz, Eastern
> Regional Sales Manager at: jamie_swartz@itworld.com or Paul Duthie,
> Western Regional Sales Manager at: paul_duthie@itworld.com
> * For all other inquiries, write Jodie Naze, Product Manager,
> Newsletters at: jodie_naze@itworld.com
>
> *********************************************************************
>
> Copyright 2000 ITworld.com, Inc., All Rights Reserved.
>
> http://www.itworld.com
>
>
(text/plain)