[sf-lug] how to whack crackers

Rick Moen rick at linuxmafia.com
Tue Jan 6 11:59:20 PST 2009

Quoting jim (jim at well.com):

>    speakeasy sternly notified me that someone 
> reported cracking activity coming from my IP 
> address. happened three or four years ago, so 
> i knew what to do: turns out it was the same 
> break-in method and same general approach to 
> mis-using the box. 

Not having seen the text of that advisory, I cannot tell whether they
told you about activity that would have required subversion of root
access -- but strongly suspect that it _did_.  There are a number of 
things intruders like to do that requires root, and typical *ix systems
have, at any given time, at least a few exploitable escalation paths to
gain root access that can be carried out from the regular-user shell
prompt, given enough time and lack of an alert sysadmin.
>    the thing i fear is the rootkit and things 
> like them: replacing standard tools with 
> look-alikes that include malware components. 

You probably already know this, but, for the benefit of others:  a
rootkit is just a minor _after-effect_ of an intrusion.  It's a set of
tools the intruder installs, after escalating to root privilege, to
subsequently hide his/her presence from the sysadmin, so that
intruder-run processes and files are not visible to standard
administrative tools.  It works by replacing those administrative tools
with equivalents that differ only in being selectively blind.

The intruder's aim, in installing a rootkit, is to ensure that you
cannot notice him/her, and, if you do, that you cannot permanently eject
him/her.  The only typical use of "malware components" is thus to
sprinkle your system with an ELF-binary infector that, whenever run,
ensures that a UDP-type remote shell daemon stays running, that the
intruder can then use to re-enter if thrown off.

> so far, my approach is to wipe out the entire system and rebuild from
> known-good files from scratch. i don't trust the chkrootkit program
> only because it seems likely there's be rootkit improvements that
> elude an older chkrootkit program (which i download as source and
> compile and then run). 

There's certainly no _harm_ in occasionally running chkrootkit and/or
rkhunter; they could help you find at least dumb/clumsy intruders, _if_
you are willing to wade through all their false positives.

More information about the sf-lug mailing list