Web Hosting Talk






PDA

View Full Version : What is a "root kit".

grandad
10-31-2002, 06:16 PM
My Raq4i has crashed allegedly because of a "root kit" corrupting all of the files. What is a "root kit" and how can it cause corruption. I am ignorant of these matters as you can no doubt tell! :dunce:
ffeingol
10-31-2002, 06:49 PM
It's a tad hard to explain but...

A root kit is a set of programs that a hacker will use to take control of your box (i.e. gain root access etc.). Most of them come pre-compiled so they just have to find some way to get onto your machine and install it.

The really nasty part is that most load themselves as kernel modules (i.e. part of the operating system) and therefore you can't see them via a ps command, ls command etc.

Check out chkrootkit.

Frank
grandad
11-01-2002, 04:02 AM
Thanks - why don't I feel any better now I know! :bawling:
ffeingol
11-01-2002, 10:16 AM
Prob. because it's a very bad thing :bawling:

Frank
mpope
11-04-2002, 04:58 PM
If you suspect you've been comprimised, the ONLY thing you can do is reformate and reinstall the O/S. rootkits are just about the worst thing that can be installed on your server, and you don't want to take any chances that the hacker could get back in after you attempt to fix.
Cephren
11-05-2002, 11:44 PM
As mpope puts it.... a new format is da best.........
thats cause god knows how many back doors the hacker has placed on your system and how many trojans he has used to rewrite rpms and utils. ie BIND.

BUt when you do discover something really awkward with your server. Dont panic and start leaving traces for the hacker to figure out that his cover has been blown. Quielty back up the databases of your clients and each web site separatly and look for anomolies within the backup. NEVER piss off the hacker by deleting his stuff, or else even before you have backup-ed important stuff carefully the hacker will make your life very miserable, especially on a cobalt. A white box is better to work with when its compromised, but a raq is just NON fun to work with.
grandad
11-06-2002, 04:04 AM
Many thanks for the helpful comments - Raq has been re-formatted.
cyrusTvirus
11-06-2002, 05:37 AM
Make sure you keep it patched and install some security stuff like portsentry, logsentry and hostsentry as a minimum.

HTH
-Edward-
11-06-2002, 06:50 AM
What's hostsentry? and where i can i get instructions on how too install?