Make ps, top, netstat and lsof to not show the processes which the rootkit is running. (#6)
Interesting *nix commands that use syscalls we're probably interested in. Stolen from SANS Rootkit paper:
netstat: Hide connections made by the intruder to and from the system.
du: Hide space created by hidden files and directories.
find: Make it harder for administrators to search for known files installed byrootkits.
ifconfig: Used to configure and display information about network interfaces. If a sniffer is installed and running, the network interface is placed in promiscuous mode. Placing an interface in promiscuous mode enables the network interface to intercept and read packets on the network. Ifconfig is most commonly altered to conceal the evidence of an interface in promiscuous mode thus hiding the presence of a sniffer or password grabber.
inetd (xinetd): A super server designed to start programs that provide Internet services. (x)inetd then spawns the appropriate server to accept the connections. Many rootkits add their applications to the configuration file causing rootkit services to be spawned when a specific port is accessed. This is done to hide the process from administrators until the attacker calls it.
killall: A command used to stop processes. Killall is trojaned in most rootkits so administrators cannot stop certain processes that have been installed by the rootkit.
login: A daemon that is used when signing onto a system. The login daemon can be modified to document all usernames and passwords typed into the system. This documented list can be saved to a directory to be accessed for later use, sent to another system, or displayed on an alternative source such as a chat server or news group.
ps
,top
,netstat
andlsof
to not show the processes which the rootkit is running. (#6)Interesting *nix commands that use syscalls we're probably interested in. Stolen from SANS Rootkit paper:
netstat
: Hide connections made by the intruder to and from the system.du
: Hide space created by hidden files and directories.find
: Make it harder for administrators to search for known files installed byrootkits.ifconfig
: Used to configure and display information about network interfaces. If a sniffer is installed and running, the network interface is placed in promiscuous mode. Placing an interface in promiscuous mode enables the network interface to intercept and read packets on the network. Ifconfig is most commonly altered to conceal the evidence of an interface in promiscuous mode thus hiding the presence of a sniffer or password grabber.inetd (xinetd)
: A super server designed to start programs that provide Internet services. (x)inetd then spawns the appropriate server to accept the connections. Many rootkits add their applications to the configuration file causing rootkit services to be spawned when a specific port is accessed. This is done to hide the process from administrators until the attacker calls it.killall
: A command used to stop processes. Killall is trojaned in most rootkits so administrators cannot stop certain processes that have been installed by the rootkit.login
: A daemon that is used when signing onto a system. The login daemon can be modified to document all usernames and passwords typed into the system. This documented list can be saved to a directory to be accessed for later use, sent to another system, or displayed on an alternative source such as a chat server or news group.rmmod
: Used to remove kernel modules. (#3)