May 11, 2009
What is a Unix rootkit ?
A rootkit is a collection of programs.
It’s installed and used after a system is compromised.
In this case the three steps for hack a system are:
1) scanning and detection of vulnerability
2) utilization of exploit for obtation a shell
3) installation of rootkit
A classic rootkit is composited by:
- local exploit
- multiple backdoors
- sniffers
- DDos agent
A local exploit is used for take a root shell when there is only limited access on the system.
Installing a backdoor is useful to open a priviliged port for future connections.
Then with this step many commands as netstat , who , pkg* , last are substituited with other binaries
So , if a local backdoor open the 2800 TCP port , with netstat this port will not be shown as opened!!!!!
Sniffers are useful for obtain passwords and applications activity
DDos agent is powerful for make a Dos attack. With the installation of this agent the system becomes a component of DDos network that after a master signal run a TCP/UDP syn flood attack
Today there are many products for detenction of a rootkit but it’s my opinion that if a system is compromised the best pratice is re-installation of the entire environment 
March 3, 2009
Solaris 10 network services security
On Solaris 10 during the installation is possible limit network services.
Altough the installation is completed without this restrictions , is possible close all network services!
This can done by netservices command:
# netservices
netservices: usage: netservices [ open | limited ]# netservices limited
Then i have ssh running and ready for external connection.
All other network services are disabled or are available from local request only, because they have a property config/local_only in SMF configured at true
