Detecting root kits?

[Jason Stephenson]

Ben Boulanger wrote:
> Then by this logic, -anything- you do, except for pulling the drive and 
> mounting it in a system or booting off of a CD is suspect.  While the most 
> correct way, it's also the most impractical.  You can find rootkits on 
> systems with a much more minimal effort.  Will you find the really good 
> hackers?  No - but you won't find them if you boot off of a CD either.

Yeppers. Which is why, when I find a compromised box, and I've verified 
that it is compromised, I wipe that baby clean. If the person(s) 
repsponsible for the box failed to do back ups of important data, well 
tough they just lost the data. If it was so important, then they should 
have kept the box patched, run backups regularly, and done anything else 
required to protect their data.

In general, the boxes that I've seen get compromised are default 
installs that were generally set up by the user and then left alone. In 
some cases, the admins responsible for the network were told not to 
touch the machines that the users (well the grad. students) would do the 
admin duties. Uh, yeah, right. That policy changed just before I left. 
Now, this summer, they're looking for another admin, so I may just get 
my old job back.

(No, I wasn't fired. Like the dumbass that I am, I quit in order to move 
to Massachusetts, where I've not found a regular job in almost a year. 
If it weren't for two tiny consulting gigs I've had, I'd be totally 
toast. As it is, if I don't get the job in KY, I'm going to start 
bartending to pay the bills. Ah, but you don't care about that.)

> 
> The short of it is, if you think you're compromised, you probably are.  
> Look around and you're sure to find something.  Real hackers don't go 
> after these kind of boxes - not even as jump points.  You're dealing with 
> script kiddies and script kiddies tend to not cover tracks well. 

Some of them even advertise (to you) that they've cracked you. Check the 
binaries with a good copy of strings. A lot of times, you'll find the 
kiddie's IRC handle in there. Heh, in one case, a comp'd box was running 
bitchx to serve files over IRC. I connected to the channel and started 
chatting with the kid from Holland who had compromised the box. It was 
fun playing with his mind, telling him that I 0wnz0r'd "his" box and to 
prove it, I shut down bitchx, cut his back doors, then hit the power 
switch on the machine. (Mwa-ha-ha! You gotta understand after a 
frustrating week of dealing with users and finding 4 compromised 
machines in a lab that we weren't responsible for originally...well, I 
had to let off some steam.)

In another case, we found a compromised box where the person who cracked 
it actually installed the update patches to prevent anyone else from 
0wnz0r1ng it. I don't think this was a "real" hacker or cracker, but a 
script k1d that was a cut above the rest.

Anyway, I was glad to be doing UNIX admin. The Windows admins had their 
hands full with Trojans and virii. Of course, we had mail filters, and 
virus checkers and all that jazz, and they tried to keep the machines 
patched up, but when you have users who'll download any old crap off the 
web and run it, what can you do? Wipe and reinstall, and oh by the way, 
you did back up the payroll data, didn't you?--BOFH got nothing on me!