How To Protect Yourself Against Script Kiddies - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
02:45 PM

How To Protect Yourself Against Script Kiddies

Rootkits are popular tools used by hackers after breaking into system, to strengthen their hold. Learn how to protect your Linux system against rootkits and other threats.

Script kiddies aren't exactly geniuses. They break into machines and services using scripts, or automated tools, that other people write.

That doesn't mean that script kiddies can't make your life difficult. Script kiddies probably account for most online break-ins, because there are so many script kiddies.

Among the most damaging tools used by script kiddies are rootkits, which allow them to solidify their hold on systems once they've broken in.

Meet the Rootkit
Rootkits have been around for over a decade. Some are available publicly, through online cracker sites. Some rootkits are privately assembled by people who have the skills, for their own use. The publicly available rootkits are, in some ways, easier to protect against, because security experts can get their hands on them and build automated tools to protect against and detect them. If you're lucky, your break-in will be with one of these public kits. Otherwise, you have the joy of trying to figure out exactly what someone's private kit did to your system.

Early rootkits worked by replacing core system tools such as ls, netstat, ps, top, and so on. With these tools replaced, a system administrator could go along thinking everything is fine, unable to see security problems because their core tools are altered to not show them what's happening. There are several ways to ferret out these types of changes, including using the verification capabilities built into Linux RPMs, and keeping an offline record of the MD5 checksums for core tools and running regular checksums against these to see if anything has changed.

Live CDs are among the best tools for figuring out the scope of damage. These are complete Linux distributions available on bootable CDs. Because you know the live CD hasn't been tampered with, you can figure out the scope of the damage on your system by booting it with the live CD and using that CD's set of pristine, unaltered tools to examine your system. Knoppix is a simple, complete live CD.

Streamlined Linux live CDs for forensic purposes are available at DistroWatch.

Even better: Get a collection of statically compiled binaries of programs that have all of the code you need in them and don't rely on your-potentially compromised-system libraries. These can be obtained from folks like SANS instructor William Stearns.

A combination of his tools and live distributions are great combination for system recovery.

The Modern Rootkit
Before you start to feel too safe, though, a newer generation of rootkits will foil even these tools, making them much harder to get rid of. These rootkits actually alter your kernel, typically by loading a custom module that changes the data stored in the vital /proc directory. No matter where you run ps from, the command looks in /proc to find out what processes are running and other information such as uptime, RAM usage, and more. The newest generation of rootkits actually replace pieces of your kernel in RAM, where it resides to run your system, meaning that even a monolithic kernel with no module support can be supplanted with these newer tools.

The newest generation of rootkits actually replace pieces of your kernel in RAM, where it resides to run your system, meaning that even a monolithic kernel with no module support can be supplanted with these newer tools.

If this all sounds scary, it should. As Stearns puts it, "Once a human gets any shell access to the system whatsoever, all bets are off. Once a human can type commands on my system, I no longer know what needs to be done to revert any damage. This is triply true if the attacker gets root access; the attacker has unrestricted access to every resource on the machine, and potentially to others on the network as well."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll