On Sun, 2005-12-11 at 10:25, William Case wrote: > On Sun, 2005-12-11 at 00:44 -0500, Scot L. Harris wrote: > > On Sun, 2005-12-11 at 00:31, Gene Heskett wrote: > > > A friend of mine just reported he has been rooted, and his machine was > > > spewing spam in the name of the colonial bank. > > > > > FWIW, chkrootkit didn't find it! > > > > > > > Did you try rkhunter? Would be interesting to know if it could see it. > > > > > Whats the general removal procedure for this, and better yet, how did > > > they get in? > > > > Once a system has been rooted the only action to take is to rebuild the > > system from scratch, format the drives and install clean. Be very > > careful of anything backed up on the system since the root kit was > > installed. > > > > I think I know in a general kind of way. But, what is a rootkit? In general a rootkit is a set of tools that unauthorized people install on systems to hide their access and maintain access. The intent generally is to conceal the crackers access on the system. This typically done by replacing certain executables such as ps, ls, and others so the crackers communications programs and channels can remain hidden. Effort is also made to clean up log files or prevent things from being logged that would tip off the admin that someone is using the system. Additional back channels and/or time bombs may be left on the system as well. The basic idea is that once they have cracked a system to maintain access and hide that fact. You can use things like tripwire and rpm to try and find all of the modified code. However unless you have been trained and spend a lot of time doing forensics type work it is going to be quicker and surer to rebuild the system from scratch and restore data from pre break in backups. Most admins are not trained in computer forensics.
