The Linux Page

Root Kit

Under a Unix system, a virus is often called a Root Kit. This is because the only real way to really hurt the data on a Unix system is by changing things that are protected such that only a root user can access them.

Thus hackers write tools that check for flaws and when they find one they become root on your system. From that point on, your system is compromised and needs to be (1) reinstalled and (2) fixed...

In this case, Fixed means for you to find the process that the rootkit used to become root which is often not easy since they are likely to have deleted all the logs (hence the need for remote logging on important servers) and the actual root kit itself (the very tool that allowed them in.)

However, once they are in, it is often difficult to know so. This is because the system, in general, looks identical. Well... nearly. There are two main tools that can help you discover rootkits:

1) A tool that checks all the files under /bin and /usr/bin (At least)

Such a tool is tripwire. It checks the files status information, size, whether it disappeared, etc.

The data of tripwire is protected by keys and to make it really safe, you should put the database on a remote host that is doubly hard to penetrate (i.e. no external servers running on that box.)

2) A tool that checks all your binaries for one that let normal users become root or similar behavior

Such a tool is rkhunter. It checks many well known root kits and verifies that no unknown service is running (some rootkit start services that allow other tools to easily make use of your computer.)

With a tool such as tripwire, the integrity of rkhunter can be verified. If changed, then you know that something went wrong (unless you just did an apt-get upgrade or equivalent.) If not changed, then the results of rkhunter can be trusted.

Note that rkhunter detects all sorts of things. You can reset the detection using the --propupd command (i.e. after an apt-get upgrade some files will be detected as changed by rkhunter.) Also, some things such as a port open for a tool you have total control over may pop up as time passes. The configuration file can be tweaked to ignore (or add) elements to the rkhunter tool. Check out the /etc/rkhunter.conf file for more information.