O'Reilly Network: Understanding Rootkits
Dec 20, 2001, 20:55 (7 Talkback[s])
(Other stories by Oktay Altunergil)
"A rootkit is a collection of tools an intruder brings
along to a victim computer after gaining initial access. A rootkit
generally contains network sniffers, log-cleaning scripts, and
trojaned replacements of core system utilities such as ps, netstat,
ifconfig, and killall. Although the intruders still need to break
into a victim system before they can install their rootkits, the
ease-of-use and the amount of destruction they cause make rootkits
a big threat for system administrators.
The main purpose of a rootkit is to allow intruders to come back
to the compromised system later and access it without being
detected. A rootkit makes this very easy by installing a backdoor
remote-access daemon, such as a modified version of telnetd or
sshd. These will often run on a different port than the one that
these daemons listen on by default.
Most rootkits also come with modified system binaries that
replace the existing ones on the target system. At a minimum, core
binaries such as ps, w, who, netstat, ls, find , and other binaries
that can be used in monitoring server activity, are replaced so
intruders and the processes they run are invisible to an
unsuspecting system administrator."