May 11, 2009

What is a Unix rootkit ?

Posted in Security at 3:34 pm by alessiodini

A rootkit is a collection of programs.
It’s installed and used after a system is compromised.

In this case the three steps for hack a system are:

1) scanning and detection of vulnerability
2) utilization of exploit for obtation a shell
3) installation of rootkit

A classic rootkit is composited by:

– local exploit
– multiple backdoors
– sniffers
– DDos agent

A local exploit is used for take a root shell when there is only limited access on the system.
Installing a backdoor is useful to open a priviliged port for future connections.
Then with this step many commands as netstat , who , pkg* , last are substituited with other binaries
So , if a local backdoor open the 2800 TCP port , with netstat this port will not be shown as opened!!!!!
Sniffers are useful for obtain passwords and applications activity
DDos agent is powerful for make a Dos attack. With the installation of this agent the system becomes a component of DDos network that after a master signal run a TCP/UDP syn flood attack

Today there are many products for detenction of a rootkit but it’s my opinion that if a system is compromised the best pratice is re-installation of the entire environment 🙂



  1. Manjunath shenoy said,

    Its a nice point you made there and I have heard about rootkits too..
    But what do you think can be done to prevent from this and is there more info on rootkits you have as I would like to better learn the process and kind of try to prevent this…

    • alessiodini said,

      i think that the best prevention is configure security system , for example a solid hardening/auditing.
      In this mode it’s hard for someone that want hack you systems obtain access.
      You addictionally can install and configure many tools as tripwire, chkrootkit and use honeypot.
      I have some rootkits ( for Linux and Solaris ) and i want analyze them for a future article on this blog!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: