Re: [OT] Rootkit queston

From: Richard B. Johnson
Date: Mon Dec 01 2003 - 17:18:01 EST


On Mon, 1 Dec 2003, Markus [ISO-8859-1] Hästbacka wrote:

> Hello all!
>
> I've been wondering about what is a rootkit and how it works?

It's some crap thrown together for the express purpose of
running a command-shell with root privileges on a system
being attacked. The binary load is usually fed in using
some kind of exploit such as overwriting a buffer in some
privileged program.

You fix that problem by upgrading any program found to
be susceptible to attack. If you have an old system, you
might wish to upgrade:

inetd
sendmail
ftpd
tftpd
/usr/sbin/in.*
dump
... and any other program that runs suid.

In particular, do not run inetd. Run xinetd instead.
You can check for a common 'root attack', if you have inetd,
by looking at the last few lines in /etc/inetd.conf.
It may have some access port added that allows anybody
who knows about it to log in as root from the network.

It will look something like this:

# End of inetd.conf.
4002 stream tcp nowait root /bin/bash --

In this case, port 4002 will allow access to a root shell
that has no terminal processing, but an attacker can use this
to get complete control of your system. FYI, this is a 5-year-old
attack, long obsolete if you have a "store-bought" distribution
more recent.

> I've been paranoid after I heard that the debian project got
> "rootkitted", I ran chkrootkit, and it said that it's possible that I
> have a LKM rootkit installed, but the website told me that it's possible
> that the LKM test gives wrong information with recent kernels (Running
> 2.4.22 now).
>
> These processes "were hidden from ps command":
> root 0 0.0 0.0 0 0 ? SWN Oct28 0:01
> [ksoftirqd_CPU0]
> root 0 0.0 0.0 0 0 ? SW Oct28 4:27 [kswapd]
> root 0 0.0 0.0 0 0 ? SW Oct28 0:00 [bdflush]
> root 0 0.0 0.0 0 0 ? SW Oct28 0:01
> [kupdated]
>
> They seem to have PID 0, is this normal?

Yes. These are kernel threads.

[SNIPPED...]

Cheers,
Dick Johnson
Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
Note 96.31% of all statistics are fiction.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/