Tech Tip: Identify rootkits on your UNIX system

Lock down applications that run as root on UNIX systems to thwart hack attacks.

By Jonathan Yarden

When attackers take advantage of an exploit, one of their first goals is to gain superuser (root or administrator) access to the compromised system. If the compromised process is already running with superuser privileges, the actual exploit performs this step for them.

This is the case with many of the Windows Internet application exploits because they run as administrator. For many of the common Windows system exploits, the privileges of the compromised process allow attackers to completely take control of a system—and perhaps even install a remote-executable command interpreter or a "backdoor" program to allow further access to the system.

Many intruders then close the vulnerability that allowed them access to the system to prevent anyone else from exploiting it, remove evidence of the exploit, and install the software of their choice. The attacker now "owns" the system.

On UNIX systems, many applications run with superuser privileges, which is the root user on UNIX. Applications that run as root on UNIX systems are ripe targets for intruders. In this way, UNIX and Windows share the same concerns regarding applications that need superuser access.

Internet applications that run as root on a UNIX system typically need to allow access by multiple user accounts or need to process information as multiple users. These include applications such as OpenSSH, most e-mail server software (e.g., Sendmail), and FTP daemons. Many applications, such as Apache Web server, switch user privileges to a nonroot user after starting and binding to a network service port to try to prevent root exploits, but some applications can't do this.

But switching user rights to a nonroot user on UNIX doesn't mean that your application is secure. Local root exploits exist as well, and if intruders can run arbitrary commands remotely, they'll surely attempt to break into a system and obtain root access. Once intruders gain root access, their next step is to install a rootkit to maintain that access and wipe away traces of the exploit.

A rootkit is a collection of replacement programs for essential UNIX system commands that facilitates cleaning up after an exploit and maintaining access to a compromised system. Unless you can validate the authenticity of these programs, you may not even know someone has compromised your machine.

Programs such as Tripwire maintain signatures of system files and changes, and they can alert an operator that there's a problem. Tripwire is available in both commercial and open source versions, and many consider it the de facto standard for protecting UNIX operating systems from rootkits.

There's also an excellent open source tool called chkrootkit that can quickly check for various popular UNIX rootkits. If you aren't using Tripwire and suspect that someone has compromised your UNIX system, I suggest downloading and using chkrootkit immediately.

If your machine is clean, then it's either well maintained or you're lucky—or both. It's a good idea to go ahead and install Tripwire anyway.

But if you discover rootkits on your UNIX system, it's not enough to just know about them—you need to take steps to remove them. Next time, I'll tell you how to recover from rootkits on your system.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks