Script kiddies aren’t exactly geniuses. They break into machines and services using scripts, or automated tools, that other people write.

That doesn’t mean that script kiddies can’t make your life difficult. Script kiddies probably account for most online break-ins, because there are so many script kiddies.

Among the most damaging tools used by script kiddies are rootkits, which allow them to solidify their hold on systems once they’ve broken in.

Meet the Rootkit
Rootkits have been around for over a decade. Some are available publicly, through online cracker sites. Some rootkits are privately assembled by people who have the skills, for their own use. The publicly available rootkits are, in some ways, easier to protect against, because security experts can get their hands on them and build automated tools to protect against and detect them. If you’re lucky, your break-in will be with one of these public kits.

Otherwise, you have the joy of trying to figure out exactly what someone’s private kit did to your system.

Early rootkits worked by replacing core system tools such as ls, netstat, ps, top, and so on. With these tools replaced, a system administrator could go along thinking everything is fine, unable to see security problems because their core tools are altered to not show them what’s happening. There are several ways to ferret out these types of changes, including using the verification capabilities built into Linux RPMs, and keeping an offline record of the MD5 checksums for core tools and running regular checksums against these to see if anything has changed.

Live CDs are among the best tools for figuring out the scope of damage. These are complete Linux distributions available on bootable CDs. Because you know the live CD hasn’t been tampered with, you can figure out the scope of the damage on your system by booting it with the live CD and using that CD’s set of pristine, unaltered tools to examine your system. Knoppix is a simple, complete live CD.

Streamlined Linux live CDs for forensic purposes are available at DistroWatch.

Even better: Get a collection of statically compiled binaries of programs that have all of the code you need in them and don’t rely on your-potentially compromised-system libraries. These can be obtained from folks like SANS instructor William Stearns.

A combination of his tools and live distributions are great combination for system recovery.

The Modern Rootkit
Before you start to feel too safe, though, a newer generation of rootkits will foil even these tools, making them much harder to get rid of. These rootkits actually alter your kernel, typically by loading a custom module that changes the data stored in the vital /proc directory. No matter where you run ps from, the command looks in /proc to find out what processes are running and other information such as uptime, RAM usage, and more. The newest generation of rootkits actually replace pieces of your kernel in RAM, where it resides to run your system, meaning that even a monolithic kernel with no module support can be supplanted with these newer tools.

The newest generation of rootkits actually replace pieces of your kernel in RAM, where it resides to run your system, meaning that even a monolithic kernel with no module support can be supplanted with these newer tools.

If this all sounds scary, it should. As Stearns puts it, “Once a human gets any shell access to the system whatsoever, all bets are off. Once a human can type commands on my system, I no longer know what needs to be done to revert any damage. This is triply true if the attacker gets root access; the attacker has unrestricted access to every resource on the machine, and potentially to others on the network as well.”

So how do you protect yourself?
You could completely disconnect your machines from the Internet. However, this doesn’t make your Web server very useful. Really, your best protection is to keep anyone from getting through the door in the first place. Keep your systems up to date. The vast majority of system break-ins stem from problems where patches had already been available, but not applied.

You also need to follow systems administration best practices such as removing and blocking any services you’re not actually using. Doing so makes sure that there’s no vulnerable locks for someone to try to pick, in cases where you never intend to use those doors in the first place. Of course there’s also firewalling to prevent anyone actually reaching the machine. The built-in firewall in Linux can block people from even knocking on the door, since it can prevent them from even reaching the port a service listens on.

The next thing you can do to protect yourself is deploy intrusion detection systems. This class of software watches for known techniques for breaking in, such as port probing (where intruders try multiple ports in succession, like rattling doorknobs, until the intruder finds a vulnerability), buffer overflow attempts, and changing critical system files. Tools include Snort for network guarding, Tripwire and AIDE for the filesystem, and a wide range of commercial intrusion detection offerings for everything from small businesses to large enterprise installations.

However, even these measures aren’t enough to protect against rootkits, because eventually someone will manage to break in. A great place to turn for rootkit protection is chkrootkit. Not only is chkrootkit a popular rootkit-detection program, this site also offers a wide variety of articles and resources you can follow to learn more and keep your knowledge up to date. Rootkit Hunter is another popular tool. These are similar tools, but using both allows you to perhaps catch something that one or the other wouldn’t have seen. It’s a good idea to set up these programs ahead of time rather than after the fact. This way, they run regularly in cron and can let you know up front that something’s wrong.

You do have to keep in mind that rootkit authors know about all of these tools. It’s best to make immediate backups of your various Interactive Development Environment (IDE) and rootkit-hunting data files offsite, since the rootkits might actually attack these as well. Also, back up your data files. You can reinstall your system, but replacing the data is harder.

So what do you do if the unimaginable happens?

The first thing you have to do is figure out that someone got in. You might already be compromised and not realize it. You might have been for a year. Run chkrootkit and Rootkit Hunter and see if they turn anything up. Then keep the system and tools up to date and monitor your logs.

Once someone does manage to break in, the first thing to do is yank the system off the network. This can be painful, but the longer you let the attacker have access, the more damage they can do — especially if they are watching you and can see that you’re onto them.

If they’ve gained root access, your smartest response is to go through those data backups to find ones that you trust, and then set up a brand new system. But do not overwrite or throw out the compromised drives. They can provide valuable evidence to help law enforcement track down and prosecute the people who hacked your system.

You might also choose to report the break-in to CERT, or your organization might do so after you follow the appropriate corporate break-in policies. Be sure to keep regularly-updated printouts of the CERT contact information in case your entire network is taken down by an attack. CERT then does its best to coordinate evidence-gathering, contacting other involved administrators, and maybe even connecting isolated incidents to one another to form a bigger picture. The SANS Information and Computer Security Resources page is also valuable reading, and worth bookmarking and checking for updates.

Wrapping Up
Network security is a never-ending battle between those few who want to keep intruders out, and the many who want to break in. Some attackers just want to take a walk through your system to say that they did, others have more nefarious purposes, such as stealing information or damaging your systems. Even those who are breaking in just for fun will deface your sites and post about what they did among their peers, attracting more unpleasant attention from those with the tools and knowhow to have some fun with your systems.

Be proactive, and save yourself a lot of headaches. Keep up with the latest types of attacks by watching sites like CERT and SANS-you can subscribe to their alert lists so you can find out about things immediately. (Subscribe to the SANS security newsletter list. The link to subscribe to the CERT list is currently broken.)

Most of all, keep your systems as up to date as humanly possible. There’s little more embarrassing than having to admit that your system was broken into because you hadn’t made the time to fix a particular known vulnerability.

Popularity: 30% [?]