[olug] example intrusion detection

Ben Dinger ben at mac-geek.com
Wed Oct 6 14:11:27 UTC 2004


On Tue, Oct 05, 2004 at 08:38:36PM -0700, Eric Pierce wrote:
> What is a rootkit comprised of?  It sounds like it is some kind of package that
> has modified binaries (like 'ps' and 'top' in your case).

It really depends, but most of the time yes.  They also can help you actually gain access to the system itself.  The word "rootkit" really encompasses a broad range of rogue software.  Think of it as hacking for dummies, basically.  Anyone could use a rootkit, really.  I actually periodically go looking through usenet or IRC networks for new rootkits to test against my work servers.  So far I've only been able to crack it twice, once with a ssh vulnerability and once with Samba.  

> Or do they go further than that and have scripts that are run to wipe out log
> files, etc.?  Is that what a script kiddie is; someone who gains access to a
> system and runs a simple script to "set-up" the computer so they won't be
> detected easily (w/o really knowing what they are actually doing)?

The dumb ones wipe out the log files.  Most of the time they will just wipe out the most recent log file and either replace it, or not even care.  The only time I've been rooted was on a Redhat 6.2 box that was sitting alone in my old apartment as i was moving.  The kid was really dumb, as he both kept himself logged into the machine, and instead of deleting individual log files he just rm -rf'd /var/log.  Duh.  I obviously noticed that the next day when my cron jobs to email me logs failed :). 

Basically the moral of the story is that the bulk of crackers these days *really aren't that smart*.  I mean, really.  With some of these rootkits, as I said before, a trained monkey could crack into a system.  

Also, the real moral is to always run a stateful firewall in front of your servers.  Block everything, then filter.  At work I'm using PIXes, with the only "all" access being for port 80 traffic on two servers.  Sure, I have holes poked so that I can get access, and for employee VPN, but I'd like to think that we now are pro-active with our security model. 

> Anyway, interesting read.

I agree, one of the most interesting threads/posts I've read on the OLUG list so far.  

-- 
Ben Dinger
ben at mac-geek.com
"The Pope?  How many divisions has he got?" --Josef Stalin



More information about the OLUG mailing list