[oclug] r00tk1t

Strosberg, Bill bill.strosberg at rcpsc.edu
Thu Mar 7 15:43:29 EST 2002 

> From: Ross Jordan [mailto:rjordan at student.math.uwaterloo.ca]
> Sent: Thursday, March 07, 2002 2:25 PM
> To: oclug at lists.oclug.on.ca
> Subject: Re: [oclug] r00tk1t
> 
> 
> > 
> > >From the list below, I gather the rootkit stuff only whacks the
> > binaries, and not the kernel itself.  So, one could "cat" through
> > /proc instead of using `ps', for looking for errant 
> processes.  Also,
> > one could use the emacs directory editor to look for files. It's
> > curious that "find" and "echo" aren't whacked (echo * makes for a
> > jiffy ls, especially if your PATH is hosed, or worse, your /bin).
> 
> One way I remember hearing to "discover" hidden processes was to go
> through every pid from 0..max(PID) and send a SIGCONT. Compare
> success to what ps tells you should be there. Of course, one needs
> a good kill or other signal sending program...

All:

Unfortunately (or fortunately for me) I've gained experience in "rooting
out" a few root-kitted boxes.  The standard rootkits do not seem to pay
attention to the lsof command, although I'm sure they will be doing so soon.
Running a quick "lsof | grep LISTEN" ... MAY ... show any listening programs
running on your connection, and give you a quick (and usually) reliable
indication of the state of the system.  If you notice ANYTHING running you
can not specfically explain, including "standard" services that you didn't
think you were running, you need to disconnect the Ethernet and look deeper
immediately.

Although I'm sure David is right about the /proc kernel hack, it is probably
a good idea to dump the state of the proc filesystem to file(s) on CDR to
capture any running programs, and once that is done, running "strings
<file>" against suspicious binaries contained in the dump is a good idea.
It is pretty easy to identify hakk3r pr0gz - just like taggers (graffiti
artistes), they got a recognizable dialect and language that's easy to spot.
Another place to look is in the /tmp filesystem and also in the
/usr/share/man tree.

If you are bored, and have an extra box to spare, try installing a default
"server" config for DeadHat 6.2 and connecting it to the Internet for a
controlled and directly monitored period.  You'll have a case study in a box
- no waiting!  BUT, as soon as your IDS (you are running Snort in "stealth"
mode aren't you?) indicates it's cracked, get it off your connection.  This
is known as playing with fire, but it can be a great learning experience.

--
Bill Strosberg

More information about the OCLUG mailing list