Rootkit
When an attacker successfully breaks into a Unix system, two of the first things he usually wants to do are:
- Keep the administators unaware of his presence.
- Prevent the administrators from kicking him off the system.
One of the methods of accomplishing both of these tasks is to modify the system binaries, or even the system libraries.
The most simple and classic example of this is to replace /bin/login.
- Obtain a copy of the source code to /bin/login for the version of Unix the target host is running — or at least a very close version.
-
Edit the source code to /bin/login to include a "secret" password that will always let you login as root if you enter the "backdoor" password. This backdoor will also not create an entry in the system log files.
- Compile the source code.
- Save a copy of the original /bin/login binary in case something goes wrong.
- Replace the original /bin/login with your new /bin/login, keeping the same file permissions, ownerships, and time stamps.
These steps replace one system binary. A rootkit is a collection of modified program sources or binaries which replace an entire set of system binaries.
System binaries replaced by common rootkit's include netstat, ifconfig, ps, ld, du, in.telnetd, chfn, chsh, inetd, passwd, top, rshd, and syslogd
Most rootkits come with accessories like packet sniffers, log file editors, and time stamp utilities.
|
|
- .login
.login is a Unix shell script which is executed for a user every time that user logs in. A standard .login file will set important environment variables such as $PATH and may also run commands, such as `fortune`. The .login file will be stored in the users home directory. .login is used by the C [...]...
- How to List Unix Users
List Logged In Unix Users Unix has many commands to list users who are logged in. These commands include ‘w,’ ‘who,’ and ‘users:’ $ w 9:51PM up 99 days, 5:39, 2 users, load averages: 0.83, 0.90, 0.90 USER TTY FROM LOGIN@ IDLE WHAT will p0 c-66-164-235-73. 8:11AM - w spencer p3 c-66-164-235-73. 8:26PM 1:24 pine [...]...
- How to Change Your Shell
Under some version of Unix, users can use the `chsh` or `passwd -e` commands to edit the shell configured for their account in the passwd file. Under other Unix variants, only the root user can use these commands. Your shell is defined in the last field of the password file. If you have “root” privileges, you [...]...
- Java Source Code
Java source code is code that you write in the Java programming language. Java source code is converted to Java bytecode by the Java compiler. Java source code files usually have the .java extension. Sun recommends that Java source code files be no longer than two thousand lines. Larger source code files should be split [...]...
- Decompiler
A decompiler is a program which takes executable code and produces source code from it. A compiler creates executable code from source code; A decompiler attempts to reverse this process. A decompiler is a specialized version of a disassembler. While a disassembler converts executable code to assembly language, a decompiler attempts to go further and [...]...