I. What is the rootkit?
Before explaining what is rootkit, you must first explain, what is Trojaned System Commands?
Trojaned System Commands Chinese or can be translated into a "Trojan horse program" (or Troy system instruction).
I believe everyone should know the "Trojan Horse Tucheng" creation?!
Any process, on the surface, it makes it a normal program, but in fact, it is secretly, replaced the normal procedure, and left some special system back door to facilitate rearward, can control the host in secret, or The procedure for destroying behavior, let's say that this is a Trojan horse program, commonly known as: backdoor or Trojan.
When this program is hidden, we call: in the Trojan.
The source of Trojans can probably be divided into the following:
The system is invaded, which is implanted by Cracker
In the host system, a general permission user carefully designed trap
Execute the unidentified procedure
Installed the talented program suite
Infected by NetWork Worm.
Among them, in the case: the system is invaded, infects the worm, and the three procedures are unknown. These three are most common.
In the case of system invasion, most of the Cracker will not make it, immediately and obviously destroyed, only the hacker of the next product, or to show yourself, pretend to be ourselves, or satisfy This is the Script Kids of the hacker family.
(In fact, these guys are not real hackers, just ready-made tools, and attack behavior on vulnerabilities.
Typically, they will install a number of muta, let the normal procedures are replaced, let the system work, try not to have any abilities, then leave the convenient back door, after supplying and out, then, they will be cleared After the traces (such as record files, instruction history documents), quietly leave. Wait until, it will come in again, it will come in .....
(The hacker of the upper top, will not do any changes to the system, and will notify the station owner, those there are vulnerabilities? Even help the main landlord, make the vulnerability, and the usual name is: education experiment, they Compared: Can I get the respect and status of the hacker community)
The so-called rootkit is a person with a heart, organizing these common Trojans, making a set of program kits to facilitate Cracker to attack the host, smoothly compile and install Trojans smoothly on the victims.
Some rootkit pure experimental properties, there are also rootkit itself, just a rootkit Trojan, let the trial rootkit, in the Trojan. (Rootkit Rootkit ?! ;-))
There are many kinds of rootkit. In normal rootkit, all Trojans, mostly spread in the form of original program code, many of which are gradually transplanted by early BSD UNIX systems (port), therefore, almost in various On the machine platform, there are Rootkit traces, and variant and pattern can be said to be, the shape is color, the five flowers.
(I have a Rootkit on my hands, there is no dozens, Linux, FreeBSD, Solaris, NT, W2K, Novell, Dos ....
In general, in rootkit, common Trojans and tools are:
Bindshell
CHFN
chsh
crontab
DU
Find
Fix
Ifconfig
inetd
Killall
linsniffer
login
LS
Netstat
Passwd
PIDOF
PS
RSHD
Sniffchk
Syslogd
TCPD
TOP
WTED
Z2
II. Symptoms of Rootkit:
After the Trojans in the host, there is usually not too big. (However, the quality of the Trojan will have a significant condition.)
Network management personnel observe the host's operations even if you use PS, NetStat, LSOF, TOP and other programs, and you will not find any strange itinerary, because these commonly used instructions have been Cracker Changed, in other words, when you view these Trojans, you can see the screen, it is likely to make it! However, the Trojan, after all, it is not a real program, it and the original procedures, always There are some differences, perhaps in the short term, but I can't feel the same, but long, I can't fully exert the original real functionality of the program. Therefore, these differences will eventually be one day, causing host abnormalities. Operation.
Therefore, once you find any strange phenomena, the first thing to do is:
Try to doubt: Does my host have a Trojan ?!
3. Simple examination method:
However, the light is suspicious, there is no way, and often suspected of suspected ghosts, network management people will get sooner or later. "Neurae weakness"; -q
Good use of tools!
Here, introducing the Chkrootkit launched by http://www.chkrootkit.org.
As the name suggests, Chkrootkit is a convenient tool that checks if rootkit exists.
Chkrootkit can be used in the following platforms:
Linux 2.0.x, 2.2.x
FreeBSD 2.2.x, 3.x and 4.0
OpenBSD 2.6, 2.7 and 2.8 (if you are very intentional to security, you will recommend you openbsd 2.8, I am playing this. ^ _ ^)
Solaris 2.5.1, 2.6 and 8.0.
As of now (05/08/2001), the latest version is: chkrootkit v0.32
It can detect the following rootkit and Worm:
LRK3
LRK4
LRK5
LRK6 (AND Some Variants)
Solaris rootkit
Freebsd rootkit
T0RN (include "and t0rn v8)
Ambient's Rootkit for Linux (ARK)
Ramen Worm; RH [67] -Shaper
RSHA
Romanian rootkit
RK17
Lion Worm
ADORE WORM
LPD WORM
Kenny-rk
ADORE LKM
It mainly checks the following procedures in the system:
Basename
BIFF
CHFN
chsh
cron
date
DIRNAME
DU
echo
ENV
Find
fingerd
gpm
GREP
Identd
Ifconfig
inetd
Killall
login
LS
MINGETTY
Netstat
Passwd
PIDOF
POP2
POP3
PS
PStree
rlogind
RPCINFO
RSHD
Sendmail
sshd
SU
Syslogd
Tar
TCPD
Telnetd
TIMED
TOP
Traceroute
Write
Installation method:
Chkrootkit installation and use is very simple! (Please refer to http://www.chkrootkit.org/ FAQ)
download
Can be downloaded to hkrootkit.tar.gz to http://www.chkrootkit.org
Or ftp.tnc.edu.tw/security/ download: chkrootkit-0.32.tar.gz (Be careful! Is this Trojan? ^ _ ^ ....... I opened you, don't be true!)
Decompression
Tar xvzf chkrootkit-0.32.tar.gz
Compile
CD chkrootkit-0.32
Make Sense
carried out
./chkrootkit> chk.lst
Check this text file to see if there is any Trojan or WORM?
The following is part of Chk.LST, which means that the system should be clean. (Not 100%! But at least peace of mind!) Rootdir is `/ '
Checking `basename '... not vulnerable
Checking `Biff '... NOT TESTED
Checking `CHFN '... NOT Vulnerable
Checking `Chsh '... not vulnerable
Checking `cron '... NOT Vulnerable
Checking `Date '... Not Vulnerable
Checking `du '... NOT Vulnerable
Checking `Dirname '... Not Vulnerable
Checking `echo '... not vulnerable
Checking `env '... Not Vulnerable
Checking `Find '... NOT Vulnerable
Checking `fingerd '... not vulnerable
Checking `GPM '... NOT Vulnerable
Checking `Grep '... not vulnerable
Checking `Su '... Not Vulnerable
Checking `ifconfig '... NOT Vulnerable
Checking `inetd '... not vulnerable
Checking `Identd '... Not Vulnerable
Checking `Killall '... NOT Vulnerable
Checking `login '... NOT Vulnerable
Checking `ls' ... Not Vulnerable
Checking `Mail '... Not Vulnerable
Checking `MINGETTY '... NOT Vulnerable
Checking `NetStat '... not vulnerable
Checking `Passwd '... Not Vulnerable
Checking `Pidof '... Not Vulnerable
Checking `pop2 '... NOT TESTED
Checking `pop3 '... NOT TESTED
Checking `PS '... NOT Vulnerable
Checking `PStree '... NOT Vulnerable
Checking `rpcinfo '... NOT Vulnerable
Checking `rlogind '... NOT Vulnerable
Checking `RSHD '... NOT Vulnerable
Checking `Sendmail '... NOT Vulnerable
Checking `sshd '... NOT Vulnerable
Checking `syslogd '... not vulnerable
Checking `Tar '... not vulnerable
Checking `TCPD '... NOT Vulnerable
Checking `Top '... Not Vulnerablechecking` Telnetd' ... Not Vulnerable
Checking `Timed '... Not Vulnerable
Checking `Traceroute '... Not Vulnerable
Checking `Write '... not vulnerable
Checking `ASP '... NOT Vulnerable
Checking `Bindshell '... not vulnerable
Checking `Z2 '... Nothing deleted
Checking `wted '... Nothing deleted
Checking `rexedcs' ... NOT Vulnerable
Checking `Sniffer '...
Eth0 is not promisc
Checking `Aliens' ... no Suspect Files
Searching for Sniffer's Logs, It May Take A While ... Nothing Found
Searching for t0rn's default files and dirs ... Nothing Found
Searching for t0rn's v8 defaults ... Nothing Found
Searching for Lion Worm Default Files and Dirs ... Nothing Found
Searching for Rsha's Default Files and Dir ... Nothing Found
Searching for rh-sharpe's default files ... Nothing Found
Searching for Ambient's Rootkit (ARK) Default Files and Dirs ... Nothing Found
Searching for Suspicious Files and Dirs, It May Take A While ...
Searching for LPD WORM FILES AND DIRS ... NOTHING FOUND
Searching for Ramen Worm Files and Dirs ... Nothing Found
Searching for rk17 files and dirs ... Nothing Found
Searching for adore Worm ... Nothing Found
Searching for Anomalies in Shell History Files ...
Checking `LKM '... Nothing Detected
Four. What should I do if I do the Trojan?
We can say: If there is a Trojan program, then the main control of this host is not in the network management!
In other words: this host has fallen! It's okay, the only celebration is: it is not moved away by the small ..... ;-)
If it is really unfortunate, I suggest you: you should hurry.
Check the back door
Tracing invasive reasons
Track the invasion source
Psychological preparation for reimbuilding system
Backup important file
Recommity system
More important, strengthen safety and anti-smoking knowledge
Good use tools (such as: installation: Check the file system integrity ": Tripware; Use MD5 Checksum comparison before installing any program suite)
Pay attention to relevant security messages
Diligent system
Develop good network management habits (such as avoiding telnet / ftp, modifying SSH2, SFTP2, SCP)
Continuous care monitoring
Work hard to maintain host security God Bless u and me ..... ^ _ ^
Note:
Some people say: "Pick a small system that is more secure ?!", because it does not cause hacker interest and attention ?!
I think this will be seen.
My suggestion is: It is best not to pick a small number of systems. (In case there is a vulnerability, no one launches the repair kit, or the company fell, or not willing to launch, crying you! Unless you have Ability to repair .....)
To select: At least one special group or company is maintaining, continuously launching a solid kit, continues in progress.
