Checking UNIX/LINUX Systems for Signs of Compromise - UCL
Checking UNIX/LINUX Systems for Signs of Compromise - UCL
Checking UNIX/LINUX Systems for Signs of Compromise - UCL
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Linux Rootkits<br />
When an attacker successfully breaks into a Unix system, two <strong>of</strong> the first things he<br />
usually wants to do are:<br />
• Keep the administrators unaware <strong>of</strong> his presence.<br />
• Prevent the administrators from kicking him <strong>of</strong>f the system.<br />
One <strong>of</strong> the methods <strong>of</strong> accomplishing both <strong>of</strong> these tasks is to modify the system<br />
binaries, or even the system libraries.<br />
The most simple and classic example <strong>of</strong> this is to replace /bin/login.<br />
1. Obtain a copy <strong>of</strong> the source code to /bin/login <strong>for</strong> the version <strong>of</strong> Unix the<br />
target host is running -- or at least a very close version.<br />
2. Edit the source code to /bin/login to include a "secret" password that will<br />
always let you login as root if you enter the "backdoor" password. This<br />
backdoor will also not create an entry in the system log files.<br />
3. Compile the source code.<br />
4. Save a copy <strong>of</strong> the original /bin/login binary in case something goes wrong.<br />
5. Replace the original /bin/login with your new /bin/login, keeping the same file<br />
permissions, ownerships, and time stamps.<br />
These steps replace one system binary. A rootkit is a collection <strong>of</strong> modified program<br />
sources or binaries which replace an entire set <strong>of</strong> system binaries.<br />
System binaries replaced by common rootkits include netstat, ifconfig, ps, ld, du,<br />
in.telnetd, chfn, chsh, inetd, passwd, top, rshd, and syslogd. However nowadays<br />
attackers have become far more skilled in their attacks, and it is unlikely that you will<br />
see a compromised machine on which system binaries have been replaced. Indeed,<br />
these days attackers usually target the kernel, so that it provides false results to<br />
queries.<br />
Any application program is controlled by the kernel, and any system access (such as<br />
writing to/reading from the disk) is per<strong>for</strong>med by the kernel. An application will call a<br />
kernel syscall, and the kernel will do the work and deliver the result back to the<br />
application. In essence, syscalls are the lowest level <strong>of</strong> system functions<br />
By modifying kernel syscalls, kernel rootkits can hide:<br />
• files<br />
• directories<br />
• processes<br />
• network connections<br />
Obviously, checksums to confirm the integrity <strong>of</strong> a system are useless in this<br />
situation.<br />
At time <strong>of</strong> writing, there are many many rootkits available that attackers use to<br />
trojan(a trojan is usually a program that pretends to do one thing, but actually does<br />
another, such as allowing a hacker backdoor access to a machine) a system. Some<br />
<strong>of</strong> these are: