FW: Linux Security -- Rootkit

Lucas Vogel lvogel@exponent.com
Wed, 6 Sep 2000 09:55:28 -0700


Since we're talking about security today...

> -----Original Message-----
> From: ITworld Newsletters [mailto:itwnews@itwpub1.com]
> Sent: Tuesday, September 05, 2000 12:13 PM
> To: vogell@yahoo.com
> Subject: Linux Security -- Rootkit 
> 
> 
> LINUX SECURITY --- September 05, 2000
> Published by ITworld.com, the IT problem-solving network
> http://www.itworld.com/newsletters
> 
> *********************************************************************
> HIGHLIGHTS
> 
> * Defending against the rootkit and cleaning up after one has already 
>   crashed the party
> * Community Discussion:  Is PKI providing strong authentication?
> 
> SERVICES
> 
> * IT Job Spot:  Sr. Unix Systems Administrator -- Bedford, MA
> * Webcast:  Is more bandwidth necessarily better?
> 
> ********************************************************************* 
> The Dreaded Rootkit
> by Rick Johnson
> 
> Just hearing the word "Rootkit" should make you shudder with 
> a feeling 
> of uncertainty. It is, by far, any System Administrator's worst 
> nightmare. Imagine not being able to trust your own installed 
> programs. 
> What if every command you executed was lying to you?
> 
> A collection of files that replace existing programs, A rootkit 
> maliciously hides certain processes or activities and gains 
> root level 
> access. Typically, the rootkit includes a sample of the following:
> 
>     * A network sniffer for logging passwords
>     * Replacement binaries to hide the rootkit and its log 
> files. Those 
>       usually replaced include ps, du, ls, ifconfig, netstat, find, 
>       lsof, and top.
>     * Programs to remove log entries from wtmp, messages and lastlog.
>     * Tools to modify timestamp and checksum entries for replacement 
>       binaries.
>     * Replacements for daemons, such as telnet or ftp, with ones that 
>       contain a backdoor.
>     * Plus many other assorted goodies!
> 
> Most script kiddies take to using their newly downloaded rootkit with 
> little or no modification; this gives you a shot at 
> identifying the one 
> installed on your system and, therefore, a head start on cleanup. 
> However, any malicious hacker worthy of the title knows how 
> to write a 
> rootkit and already has done so. Of course, there is one 
> small catch:  
> They have to break in, get it installed and remain unnoticed.
> 
> If the above already happened, it is usually possible to detect if a 
> rootkit is installed on your system. For those who have been 
> following 
> this newsletter recently, you are aware of checksum and integrity 
> checking programs' value -- such as Tripwire 
> (http://www.tripwire.com). 
> With a clean database of checksums for all your system, you can be 
> reasonably sure of which files have been the victim of tampering.
> 
> Also available, Rkdet (http://vancouver-webpages.com/rkdet/) 
> is a daemon 
> intended to catch someone installing a rootkit or running a packet 
> sniffer. Designed to run continually with a small footprint under an 
> innocuous name, when triggered it sends email, appends to a log file, 
> and disables networking or halts the system.
>  
> Some of you, undoubtedly, are already writing your complaints 
> about that 
> reckless author teaching readers about a rootkit. Before you 
> gather the 
> mob and light the torches, please remember one important 
> thing:  This is 
> no secret. Anyone can perform a quick search and have their 
> hands on a 
> rootkit within minutes. In fact, I recommend downloading one 
> to explore 
> how deeply they can infect a system because a weekly column 
> cannot cover 
> the complexity of a rootkit.
> 
> Every system needs protection from this threat and to protect 
> yourself 
> against anything, you must first understand it. For example, 
> how else do 
> you expect to keep from being shot if you have no grasp of 
> what a gun is 
> or how it works? Remember, do not be afraid of the rootkit 
> you detect, 
> be afraid of the one you cannot see but know is there.
> 
> 
> Resources
> 
> Use a honey pot to catch hackers
> http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1957,00.html
> 
> Attacking Linux 
> To stop an attacker, think like a cracker
> http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-h
> acking.html
> 
> Symantec targets enterprise with desktop firewall    
> http://www2.itworld.com/cma/ett_article_frame/0,,1_2348.html
> 
> Battling a DDoS attack
> http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2338,00.html
> 
> **************************************************************
> **********
> STAY CONNECTED
> 
> Java Security
> Educate yourself on current problems in Java security. From 
> holes in the 
> Java security model to hostile applets, this newsletter offers 
> preventative measures and counter-attacks for your Java 
> security needs. 
> http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html
> 
> **************************************************************
> **********
> COMMUNITY DISCUSSIONS
> 
> Web Security
> Delve into the gory technical details of Web security, debate 
> community 
> politics, get help, and share your expertise in this discussion for 
> security pros of all stripes.
> http://forums.itworld.com/webx?14@@.ee6b67b/66!skip=20
> 
> **************************************************************
> ********** 
> 
> About the author
> ----------------
> Rick Johnson is currently the Manager of Security Services for 
> FusionStorm, a remote managed services company. When not writing, he 
> heads the development team for PMFirewall, an Ipchains Firewall and 
> Masquerading Configuration Utility for Linux.  Rick can be 
> contacted via 
> email at rick@pointman.org or on the web at http://www.pointman.org.
>  
> *********************************************************************
> IT JOB SPOT (TM) 
> 
> This week's featured job from ITcareers.com:
> 
> MITRE (Bedford, MA) -- Sr. Unix Systems Administrator
> 
> Use every square inch of your brain -- enjoy every last minute of your
> day -- when you join MITRE. You're in the driver's seat on multiple
> corporate UNIX Oracle servers with on-going responsibility for
> scripting and problem solving related to operating system, layered
> products, and infrastructure applications. You'll also provide support
> on file system management and volume management. Requires flexibility
> to work through both scheduled and emergency system downtimes. Got
> Solaris? UNIX shell? Perl? Solid systems administration experience a
> must. NT a plus. Apply for this job and others at MITRE:
> http://ad.doubleclick.net/clk;1673997;4662576;d
> 
> Request your free ITcareers.com white paper about successful online
> recruiting techniques from: info@itcareers.com
> 
> ********************************************************************* 
> ITWORLD.COM SERVICES 
> 
> WEBCAST: Size does matter, but is more bandwidth necessarily better?
> 
> Some experts think so. Others disagree and believe that 
> adding QoS con-
> trols to current bandwidth is the "smarter" solution. Now you can take
> part in this debate, online during a FREE webcast. This Webcast is
> sponsored by IBM and Sitara Networks. Register NOW at:
> http://www.itworld.com/itwebcast/nw
> 
> **************************************************************
> *******  
> CUSTOMER SERVICE
> 
> You can subscribe or unsubscribe to any of your e-mail newsletters by 
> updating your form at:
> http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?
> 
> For subscription changes that cannot be handled via the web, 
> please send 
> an email to our customer service dept: support@itworld.com
> 
> *********************************************************************
> CONTACTS
> 
> * For editorial comments, write Andrew Santosusso, Associate Editor, 
> Newsletters at: andrew_santosusso@itworld.com
> * For advertising information, write Dan Chupka, Account Executive at:
> dan_chupka@itworld.com
> * For recruitment advertising information, write Jamie Swartz, Eastern
> Regional Sales Manager at: jamie_swartz@itworld.com or Paul Duthie,
> Western Regional Sales Manager at: paul_duthie@itworld.com
> * For all other inquiries, write Jodie Naze, Product Manager,
> Newsletters at: jodie_naze@itworld.com
> 
> *********************************************************************
> 
> Copyright 2000 ITworld.com, Inc., All Rights Reserved. 
> 
> http://www.itworld.com
> 
>