[nflug] Rootkits

Mark Musone mmusone at shatterit.com
Thu Nov 3 15:36:27 EST 2005 

Unfortunately, in my experience..it's been kind of the opposite..
I've seen many more and more intricate local root exploits than before.

Years ago they'd do some sendmail, lpr queue,  or shell-escape type of local
exploit..nowadays they are doing things like kernel module exploits and race
condition attacks. Things like that were pretty much unheard of back then.
Also, now, once they are in, your system is REALLY compromised...replacing
core kernel modules..even the kernel itself sometimes..really nasty stuff
that's terrible to find let alone remove.

In the old days, everyone focused on remote ROOT exploits and kinda ignored
remote user exploits, because even if they got in as a normal user, they
couldn't do much. Now, any type of remote access into a system is extremely
sensitive. Small example; look at the huge rate of simple brute force
dictionary ssh attacks as default users nowadays. they are simply trying to
get in as ANY user, because it's almost a given they can then get elevated
to root. Back then, they'd mostly be just trying to brute force root.  The
other advantage for them is that many sysadmins today focus on preventing
ROOT brute force attacks, having all the alerts (and root ssh shut down) for
that case, yet they ignore unprivileged end user access. So while the
sysadmins are keeping their eye on the main gate, the hackers are slipping
in via the side...

I've got probably a few dozen cd's of rootkitted system dumps, along with a
number of cd's of actual rootkits. lol...I hope it's not a sign of my
sysadmining skills :) ;)


-Mark



-----Original Message-----
From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
Josh Johnson
Sent: Thursday, November 03, 2005 3:17 PM
To: nflug at nflug.org
Subject: RE: [nflug] Rootkits

I kind of thought that when a user was able to become root (against the 
admin's wishes) on any *nix box, it was a big deal nowadays and the 
offending hole was patched up?

-JoshJ
http://lotuseaters.no-ip.com

On Thu, 3 Nov 2005, Mark Musone wrote:

> No, this is not true at all..
>
> Any remote exploit could allow a non-root user to access a Linux box. From
> there, a local exploit can be done, raising a users level to root..This is
> actually a standard mechanism.
>
> Although someone can gain direct root access by either a remote exploit in
> which the daemon runs as root, or a local exploit being done _as_ root, it
> is most commonly accomplished using the two-step process as described
above.
>
>
> -Mark
>
>
>
> -----Original Message-----
> From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf
Of
> Eric Benoit
> Sent: Thursday, November 03, 2005 12:37 PM
> To: nflug at nflug.org
> Subject: Re: [nflug] Another reason to not use M$ products...
>
> So, you can only get root kits if you are logged in as root or someone
> gains access to root, speaking of Linux not MS?
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
>
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list