Rootkit

When an attacker successfully breaks into a Unix system, two of the first things he usually wants to do are:

• Keep the administators unaware of his presence.
• Prevent the administrators from kicking him off the system.

One of the methods of accomplishing both of these tasks is to modify the system binaries, or even the system libraries.

The most simple and classic example of this is to replace /bin/login.

1. Obtain a copy of the source code to /bin/login for the version of Unix the target host is running -- or at least a very close version.
2. Edit the source code to /bin/login to include a "secret" password that will always let you login as root if you enter the "backdoor" password. This backdoor will also not create an entry in the system log files.
3. Compile the source code.
4. Save a copy of the original /bin/login binary in case something goes wrong.
5. Replace the original /bin/login with your new /bin/login, keeping the same file permissions, ownerships, and time stamps.

These steps replace one system binary. A rootkit is a collection of modified program sources or binaries which replace an entire set of system binaries.

System binaries replaced by common rootkit's include netstat, ifconfig, ps, ld, du, in.telnetd, chfn, chsh, inetd, passwd, top, rshd, and syslogd

Most rootkits come with accessories like packet sniffers, log file editors, and time stamp utilities.