When hackers obtain administrator privileges, they first erase the records related to the intrusion system and hide their whereabouts. The most common way to achieve this is to use rootkits. Simply put, rootkits is a modified Attack Script and system program used to illegally obtain the maximum control permissions of the system in a target system. Rootkits is widely used. It allows attackers to obtain BackDoor-level access. In the past, rootkits often replaced normal binary execution programs in the operating system, such as iogin programs and ifconfig programs. However, rootkits has developed rapidly over the past two years and has been directly operating on the underlying kernel without having to modify a single program. By modifying the operating system core, kernel-level rootkits makes an OS with the modified kernel look like it is no different from a normal system. They usually contain the ability to redirect system calls. Therefore, when you execute commands such as PS, netstat, or ifconfig, the actual execution is a trojan version. These tools can also hide processes, files, and port usage, and users will not be able to get real system situation reports.
RootkitsDefense methods:
The most effective method to defend against rootkits is to regularly check the integrity of important system files. There are many such tools, such as tripwire, which is a very good file integrity check tool. Once rootkits attacks are detected, it is troublesome. You must reinstall all System File Components and programs to ensure security. Here we will introduce a simple and easy-to-use Linux rootkits detection method. Zeppoo is a small and excellent rootkits detection tool in Linux. Zeppoo allows Linux system administrators to monitor the presence of rootkits in/dev/kmem and/dev/MEM in the i386 hardware system. Zeppoo can detect hidden system tasks, modules, syscils, malicious symbols, and hidden connections. The Linux system administrator can promptly determine whether rootkits exists in the Linux System Based on the hidden and illegal programs found by zeppoo.
ZeppooUse
You can download and install the SDK on the terminal. After decompression, the installation procedure is as follows: # cd zeppoo # Make; make install for example: the Basic command format is as follows: zeppoo-parameter lists the tasks that the system task P displays in the memory. Lists syscall-s display system calls. List the fingerprint features of an IDT file-F file generates the fingerprint features of a file (syscall, IDT ). Other functions-C options check tasks, network, file fingerprint features check tasks, networks, fingerprints. -D device uses the device (/dev/MEM,/dev/kmem ). -M fast mode. -T systemmap specifies system. Map to solve the syscalland IDT file name problems. Display All running tasks in/dev/MEM. You can see the UID, GID, file name, memory address, and other important parameters of all running tasks. # Zeppoo-p-D/dev/MEM detects and displays all hidden tasks. If zeppoo does not detect suspicious tasks in the memory, zeppoo prompts "no hidden tasks, your system looks safe. "Of course, this prompt can only be used as a reference. The system administrator needs to perform further authentication analysis: # zeppoo-C-P
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
