Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

RootKits Part 1


RootKits Part 1

By ghostghost | 5592 Reads |
0     0

Maintaining Access

To maintain access is a vital key to rooting. I will list several ways of this as I go along and explain typical rootkits. Maintaining access is associated with backdoors local and remote. Here are some ways to keep access.

  1. SSH also known As Secure Shell is a typical backdoor or Trojan used among the beginner hacker. Custom SSH daemons will not leave logs when logging into the targets computer. Both telnet and SSH will also show up in the netstat command. This type of connection is best when combined with a Trojan or a kernel rootkit this will hide connections from the admin. Keep in mind that the TCP ports that are listening give it away if the server is scanned using a port scanner such as Nmap.

  2. Telnet is another great program use to keep access. Usually you use telnet on a TCP port. This allows for easy detection. You only be able to hide from entry-level admins with this type of connection. Similar access can be realized by trojaning any of the listening daemons: telnet, sshd, ftpd, sendmail, name and so on.

  3. CGI shell is something usually considered as using for a last resort type of deal. CGI shell script is deployed in the web server directory. CGI script will execute the user-defined commands and outputting the results in a browser. This does not open new ports and local attacks will have to be done to gain root“.

  4. ICMP telnet controls messages such as Echo request and Echo reply can be made to carry payloads. ICMP are allow through for network performance. Netstat and port scanner cannot pick this up. Those are just some ways I know but there are more online you could look up all you have to do is google it. Local access is almost assured by rootkits with trojaned tools that yield access. RootKits always require root for installation and give its owner root access on demand. Types of RootKits

Binary RootKits

It was the first rootkit use to replace critical system binaries such as /bin/login and network daemons. Attackers use this method to do certain goals like remote and local access and evidence hiding. The executable files were trojaned to perform an action conducive for the attacker, and you know that means malicious acts. Looking at how this works attacker deploys a script after to gaining access. The scripts replace the binaries over the original versions. Here is a list that I have got from http://www.chkrootkit.org/. The Trojans binaries you find on that site are used for:

Provide remote access. The binary bin/login/ or Trojan daemon network may contain magic passwords that will provide a privilege access to the attacker. Trojaning the network access control application tcpd will make it over look certain connections. Provide local access. This may modify the binary or many of the normal SUID binaries to provide “root” privileges to specified users or to those who have a password or command-line switch. Most of the time the attacker use modified daemons. Provide process hide. The Trojan bin/ps will hide processes from causal viewing by the system admins. Provide connection hiding. The binary /bin/netstat that will help too. If you don’t know what netstat is by now you probably shouldn’t be reading this article.

I will wrap it up for now and finish the rest of the section in part 2 of types of rootkits. In part 2 I will also talk about many other type of rootkits for example Kernel rootkits, Libaray kits, Usage, and the development of furture rootkits.

even though this is not where i got my source i will add where yall found this info

links: http://www.pandora-security.com http://idefense.com

Comments
Sorry but there are no comments to display