
There’s a rootkit in the closet - cyberviewer
http://www.void.gr/kargig/blog/2009/08/21/theres-a-rootkit-in-the-closet/
======
vog
There’s something that puzzles me. The author found a rootkit and saw that it
was integrated very deeply in the system. Yet he tried to fix the system _from
within_!

Only after some failed attempts to download and install a new kernel, he
finally did the Right Thing and shut down the server to analyze the hard disk
from outside.

To everyone who encounters such a rootkit, I strongly recommend to _skip this
second step_. If you see such a deeply integrated rootkit, shut down the
computer immediately! _No fiddling!_ Then, take out the hard disk and copy and
analyze it as described in the article.

Otherwise, you’d enable the rootkit to hide its traces, and to maybe destroy
some data. You don’t learn anything from that fiddling. Satisfy your curiosity
only _after perpetuating evidence_! (i.e. after copying the hard disk’s data)

------
ratsbane
Upvoted both for the content and expository writing style. He did a nice job
not just of solving the problem but also showing how he did it.

------
barrkel
If this style of interception becomes popular, it seems to argue for a
statically linked busybox or similar that uses syscalls directly.

~~~
colonelxc
The nice thing about this method is that you don't have to muck about in the
kernel with a kernel module or anything like that. Also, you don't have to
replace any binaries on the system, so everything _looks_ fine to an md5
comparison. Also, if you've setup something like tripwire to only watch
specific configuration files and services, it might not catch the newly
created /etc/ld.so.preload file.

Some programs (such as login), are already statically compiled to prevent this
exact thing from happening.

~~~
viraptor
I think that the default tripwire config (and definitely the default samhain
config) includes monitoring new files in /etc, so at least there's that
protection. Unfortunately not many people use those applications in real
deployments.

------
iman
It's often said that privilege escalation under Linux is very easy. Why is
Linux so insecure in this aspect?

Why does OpenBSD not suffer from local root exploits?

