Rootkit

From LQWiki
Jump to: navigation, search

A Rootkit is a collection of software tools which enables the cracker to hide and secure their position on a system after they have broken into it. A rootkit is a worst-case scenario of a security breach on a sensitive system, as the cracker has essentially made themselves root. The main countermeasure against rootkits is to use md5sum to make a checksum of important system files, and keep the checksums on a write-only unmounted media (like a burnable cd). The checksums are then compared against the actual system files to see if the files have been modified, as a form of intrusion detection. (It might be wise to run the check from a Knoppix cd or other live cd *nix, as a further insurance.) If a rootkit is detected, then the problem becomes one of damage control: replacing the affected files, seeing what damage was done and what sensitive information might have been compromised, evaluating the security of the system to see how the intruder got in and preventing similar episodes in the future.

See also

External links