Detecting Rootkit
Unless the intruder did a poor job of removing traces of his or her visit from the log files, attacks can be hard to detect. Most system administrators don't know their site has been invaded until they are contacted by someone at another site or their disks begin filling up due to the sniffer's logs. If you cannot explain disk usage, you should become alarmed, especially in light of the du and ls Trojans.
Once you suspect a machine has been the victim of a Rootkit attack, you can do several things to verify this. The simplest is to try du, ls, ps, and netstat with the -/ option. If any of them accept this option, then Rootkit has been installed. Also, there is no short-circuiting in the mask list processing; even when you have a hit with a mask specification, the checking continues. So, a large specification list could conceivably cause a noticeable slowdown in the program. Text files found with file in /dev (especially with names of the form /dev/pty without device numbers) are also suspect.
Another way to verify intrusion is to use system programs whose integrity is known. Putting original copies of ps, ls, du, ifconfig, and netstat on a write-protected floppy disk is a good idea. These may be used in situations in which the integrity of the system programs on the hard disk are questionable.
There are many second-party (i.e., nonstandard) utilities that may be added to the above list. These include:
top(1) - A system monitoring utility that combines the functionality of ps(1), uptime(1), renice(8), and kill(1). It can be found at
ftp://eecs.nwu.edu/pub/top/ and used to reliably check for the existence of rouge programs in the case of a SunOS host, since that version of Rootkit does not contain it.
lsof - List Open Files (
ftp://vic. \ cc.purdue.edu/pub /tools/unix/ \ lsof/), which lists all open files included open network sockets.
tcplist - Lists all open network connections in a nice table, including protocol/port numbers, remote hostname, UID of the local server/client, and remote user for remote sites running an ident server (
ftp://ftp.cdf.toronto. \ edu/pub/tcplist).
cpm - May be used on SunOS and Solbourne hosts to determine whether the machine's Ethernet interface is running in promiscuous mode (
ftp://info.cert.org//pub/tools \ /cpm/cpm.1.0.tar.Z). For checking file integrity, the cryptographic checksum program md5 should also be added to this arsenal.
Since zap does not delete users from utmp/wtmp/lastlog files, but rather overwrites the entries with binary zeros, such entries can be an indication that a host has been attacked.
