• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Unix FAQs
• How do I find a Unix command?
• What is the history of Unix?
• What are basic Unix commands?
• What is a Unix shell?
• What is a Unix script?
• How do Unix file permissions work?
• Where can I find a Unix tutorial?
• Where can I download Unix?
• Where can I get a Unix emulator?
• What is sudo?
• How do I audit Unix passwords?
• What is password shadowing?
• What is password aging?
• What is NIS (yp)?
• What is a restricted shell?
• What security problems exist with SUID script and programs?
• How do Unix system log files work?
• What is a rootkit?
• How do Unix timestamps work?
• What is Linux?
• What are bootable Linux distributions?
• How do I setup a Linux file server?
• How do I change to directories with strange characters in them?
• What is a daemon?
• How can I change my Unix password?
• How do I change my shell?
• What is .profile?
• What is .login?
• What is a run level?
• How do I set an environment variable?
• What is UMASK?
• What are Unix signals?
• How do I change a hostname on Solaris?
• How do I change an IP address on Solaris?
• What are Pluggable Authentication Modules?
• How do I capture a Unix terminal session?
• How do I list Unix users?
• How do I backup Unix?
• How do I create a cron job?
• How do I use the Unix find command?
• How do I use the Unix sort command?
• How do I use the Unix grep command?
• How do I use the Unix top command?
• How do I install Linux on my Xbox?
• How do I copy Unix files to Windows?
• How Do I Tell What Shell I am Using?
• How Do I Find Out CPU Utilization in UNIX?
• How Do I Copy a Directory from DOS to UNIX?
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

What is a Rootkit?

When an attacker successfully breaks into a Unix system, two of the first things he usually wants to do are:

• Keep the administators unaware of his presence.
• Prevent the administrators from kicking him off the system.

One of the methods of accomplishing both of these tasks is to modify the system binaries, or even the system libraries.

The most simple and classic example of this is to replace /bin/login.

1. Obtain a copy of the source code to /bin/login for the version of Unix the target host is running -- or at least a very close version.
2. Edit the source code to /bin/login to include a "secret" password that will always let you login as root if you enter the "backdoor" password. This backdoor will also not create an entry in the system log files.
3. Compile the source code.
4. Save a copy of the original /bin/login binary in case something goes wrong.
5. Replace the original /bin/login with your new /bin/login, keeping the same file permissions, ownerships, and time stamps.

These steps replace one system binary. A rootkit is a collection of modified program sources or binaries which replace an entire set of system binaries.

System binaries replaced by common rootkit's include netstat, ifconfig, ps, ld, du, in.telnetd, chfn, chsh, inetd, passwd, top, rshd, and syslogd

Most rootkits come with accessories like packet sniffers, log file editors, and time stamp utilities.

Purchase these excellent books on Unix security and administration at Amazon.com

Bookmark What is a Rootkit? Latest Blog Posts Windows 7 Forum Boston College: Ability to Use a Command Line is a Sign of Criminal Activity Google Hacked? Recycle your old phone – Make some money, and save the environment too! SourceForge vs. Freshmeat Fastest Web Browser: Google Chrome New Webmaster Forum Ubuntu Security Tools Terrorists Go Hi-Tech How to Dry a Cell Phone That's Come in Contact with Water English German Spanish French Italian Portuguese Russian Dutch Greek Hindi Japanese Korean Chinese Chinese (Simplified) Arabic Copyright 2009 Tech-FAQ. All rights reserved. Privacy Policy.