O'Reilly Network: Understanding Rootkits

Warren Togami warren at togami.com
Thu Dec 20 13:45:27 PST 2001


http://www.linuxtoday.com/news_story.php3?ltsn=2001-12-20-014-20-SC-HL

 "A rootkit is a collection of tools an intruder brings along to a
victim computer after gaining initial access. A rootkit generally
contains network sniffers, log-cleaning scripts, and trojaned
replacements of core system utilities such as ps, netstat, ifconfig, and
killall. Although the intruders still need to break into a victim system
before they can install their rootkits, the ease-of-use and the amount
of destruction they cause make rootkits a big threat for system
administrators. 

The main purpose of a rootkit is to allow intruders to come back to the
compromised system later and access it without being detected. A rootkit
makes this very easy by installing a backdoor remote-access daemon, such
as a modified version of telnetd or sshd. These will often run on a
different port than the one that these daemons listen on by default. 

Most rootkits also come with modified system binaries that replace the
existing ones on the target system. At a minimum, core binaries such as
ps, w, who, netstat, ls, find , and other binaries that can be used in
monitoring server activity, are replaced so intruders and the processes
they run are invisible to an unsuspecting system administrator."

Complete Story
http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html



More information about the LUAU mailing list