O'Reilly Network: Understanding Rootkits

"A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access. A rootkit generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. Although the intruders still need to break into a victim system before they can install their rootkits, the ease-of-use and the amount of destruction they cause make rootkits a big threat for system administrators.

The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access daemon, such as a modified version of telnetd or sshd. These will often run on a different port than the one that these daemons listen on by default.

Most rootkits also come with modified system binaries that replace the existing ones on the target system. At a minimum, core binaries such as ps, w, who, netstat, ls, find , and other binaries that can be used in monitoring server activity, are replaced so intruders and the processes they run are invisible to an unsuspecting system administrator."

Complete Story

Related Stories:

• Linux Kernel-Level Trojan - Kernel Intrusion System (KIS)(Jul 23, 2001)
• Worm Targeting Linux Could Cause Serious Damage(Mar 24, 2001)
• Security Portal: Tripwire - The Only Way to Really Know(Jul 11, 2000)
• RootPrompt.org: Cracked! Part 4: The Sniffer(May 31, 2000)
• RootPrompt.org: Know Your Enemy: II - Tracking the movements of a Script Kiddie(Mar 08, 2000)