rootkit?

[Scot L. Harris]

On Sun, 2005-12-11 at 10:25, William Case wrote:
> On Sun, 2005-12-11 at 00:44 -0500, Scot L. Harris wrote:
> > On Sun, 2005-12-11 at 00:31, Gene Heskett wrote:
> > > A friend of mine just reported he has been rooted, and his machine was 
> > > spewing spam in the name of the colonial bank.
> > 
> > > FWIW, chkrootkit didn't find it!
> > > 
> > 
> > Did you try rkhunter?  Would be interesting to know if it could see it.
> > 
> > > Whats the general removal procedure for this, and better yet, how did 
> > > they get in?
> > 
> > Once a system has been rooted the only action to take is to rebuild the
> > system from scratch, format the drives and install clean.  Be very
> > careful of anything backed up on the system since the root kit was
> > installed.
> > 
> 
> I think I know in a general kind of way.  But, what is a rootkit?

In general a rootkit is a set of tools that unauthorized people install
on systems to hide their access and maintain access.  The intent
generally is to conceal the crackers access on the system.  This
typically done by replacing certain executables such as ps, ls, and
others so the crackers communications programs and channels can remain
hidden.  Effort is also made to clean up log files or prevent things
from being logged that would tip off the admin that someone is using the
system.  Additional back channels and/or time bombs may be left on the
system as well.  The basic idea is that once they have cracked a system
to maintain access and hide that fact.   

You can use things like tripwire and rpm to try and find all of the
modified code.  However unless you have been trained and spend a lot of
time doing forensics type work it is going to be quicker and surer to
rebuild the system from scratch and restore data from pre break in
backups.  Most admins are not trained in computer forensics.