On Mon, 1 Dec 2003, Markus [ISO-8859-1] Hästbacka wrote: > Hello all! > > I've been wondering about what is a rootkit and how it works? It's some crap thrown together for the express purpose of running a command-shell with root privileges on a system being attacked. The binary load is usually fed in using some kind of exploit such as overwriting a buffer in some privileged program. You fix that problem by upgrading any program found to be susceptible to attack. If you have an old system, you might wish to upgrade: inetd sendmail ftpd tftpd /usr/sbin/in.* dump ... and any other program that runs suid. In particular, do not run inetd. Run xinetd instead. You can check for a common 'root attack', if you have inetd, by looking at the last few lines in /etc/inetd.conf. It may have some access port added that allows anybody who knows about it to log in as root from the network. It will look something like this: # End of inetd.conf. 4002 stream tcp nowait root /bin/bash -- In this case, port 4002 will allow access to a root shell that has no terminal processing, but an attacker can use this to get complete control of your system. FYI, this is a 5-year-old attack, long obsolete if you have a "store-bought" distribution more recent. > I've been paranoid after I heard that the debian project got > "rootkitted", I ran chkrootkit, and it said that it's possible that I > have a LKM rootkit installed, but the website told me that it's possible > that the LKM test gives wrong information with recent kernels (Running > 2.4.22 now). > > These processes "were hidden from ps command": > root 0 0.0 0.0 0 0 ? SWN Oct28 0:01 > [ksoftirqd_CPU0] > root 0 0.0 0.0 0 0 ? SW Oct28 4:27 [kswapd] > root 0 0.0 0.0 0 0 ? SW Oct28 0:00 [bdflush] > root 0 0.0 0.0 0 0 ? SW Oct28 0:01 > [kupdated] > > They seem to have PID 0, is this normal? Yes. These are kernel threads. [SNIPPED...] Cheers, Dick Johnson Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips). Note 96.31% of all statistics are fiction.