"a rootkit is a set of software tools intended to conceal runing processes,files or system data from the operating system. In recent years, it has been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exists for a variety of operating systems,such as Windows,Linux and solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel models."
http://en.wikipedia.org/wiki/Rootkit. Rootkit detectors that run on live systems currently only work because the rootkits detectable have not yet been developed to hide themselves fully.
In unix "chrootkit" and "rkhuner" are two popular programs to detect rootkit, now I will ust rkhunter to check my current mandriva system.
1.Download from http://www.rootkit.nl/projects/rootkit_hunter.html , download hashupd.sh and rkhunter-1.2.9.tar.gz to /home/weizhong/Download
2. gzip -dc rkhunter-1.2.9.tar.gz |tar xf -
3. cd rkhunter-1.2.9
4, become root, sh installer.sh
5, cd ..
6.sh hashupd.sh
The result
[root@localhost Download]# sh hashupd.sh
[INFO] Found release: "Mandriva Linux release 2007.0 (Official) for x86_64"
[INFO] "Mandriva Linux release 2007.0 (Official) for x86_64" wasn't found in /usr/local/rkhunter/lib/rkhunter/db/os.dat.
[INFO] "Mandriva Linux release 2007.0 (Official) for x86_64" has local number 723.
[INFO] Found md5sum at /usr/bin/md5sum
[INFO] Found sha1sum at /usr/bin/sha1sum
[INFO] Adding distribution/release "Mandriva Linux release 2007.0 (Official) for x86_64" to "/usr/local/rkhunter/lib/rkhunter/db/os.dat"
[INFO] Looking for 65 hashes.
[WARN] Found 48 of 65 hashes, 0 errors found.
[INFO] added new hashes.
From the above information, we can know that the rootkit use MD5 algorithm to check the changes of important files, if the files are trojaned, the MD5 fingerprint should be changed.
It shows the rkhunter is easy to use and implement. And the host system is free of rootkits.
It is better for everybody to be careful to check whether the computer is hacked by the rootkit, because once the rootkit is installed, the spyware or other kind of malwares with that rootkit will be hided from the system process monitoring, and the antivirus will report the system is clean though in fact it is infected and you are lossing your important private information to the hackers. Rootkit remover try to find it and remove it, the author of rootkit is trying to evade this detection. It is a game of "cat and mouse". What we can do is to become carefully as we can when we install some softwares from the web or from CD.http://news.com.com/i/ne/sr05/rootkit/
More information about how to use rootkit detectors is in the following:
http://www.pcsupportadvisor.com/rootkits.htm
No comments:
Post a Comment