Root Kit Found
CAN 1999-0660
Impact
The presence of a root kit indicates that the system has
been compromised. The root kit allows the intruder
to move about the system undetected.
Background
The root kit is a package which is typically installed by
an intruder after gaining root access to a system. It helps the intruder
cover his or her tracks. The root kit replaces certain
UNIX based commands, like ls, pwd,
tar, ps, ifconfig,
and netstat.
The Problem
If the intruder was able to modify the logs to hide the existence
of a break in, and install a root kit, a system administrator
might not ever find out that the user is on the system.
Resolution
If the system has been compromised the operating
system must be reinstalled. If the backup of the system
can be confirmed not to have the root kit, then a
backup can be used. The problem with the situation is
that there are a number of different root kits in existence,
and each replaces different commands. Therefore, a system administrator
will never be able to tell exactly what system files have been replaced
unless they go through each one the commands (ls, du, df, pwd, ifconfig, etc).
Where can I read more about this?
Dave Dittrich's
FAQ is a good source of information on rootkits.
Know Your Enemy, a paper found at packetstorm, is
a good description of a hacker's actions after gaining root access,
including the installation of rootkits.