Camouflage
However, regardless of whether your attacker entered via the front or
back door, his next priority after gaining root access is to cover his
tracks, preventing the administrator from noticing his presence and
locking him out. He'll do that by sabotaging the system logs and
accounting software, disabling any security-monitoring software, and
installing trojan horse (trojaned) software to conceal his activities,
gain additional intelligence, and create back doors in case he needs
another way in.

The trojaned software usually includes replacement binaries for the
genuine login, netstat, ps, ifconfig, du, df, ls, top, syslogd, tcpd,
locate, and various servers run by the inetd superserver. The aim is to
hide the attacker's tools, logs, and processes, so that they are
invisible to the legitimate root user.

And tomorrow the world!
Some of those processes will be spy programs, running to capture login
information entered by local users for remote systems elsewhere. Those
will be logged and conveyed back to the attacker, giving him new
targets. Some may be network sniffers, monitoring the traffic passing
nearby, to or from other nearby machines, and likewise capturing
private information for the bad guys. Those work by putting your
network interface in promiscuous mode, in which the normal disregarding
of other machines' network traffic gets disabled. Some may be
clandestine network services, such as file-swapping, that are useful
for the attacker and his friends. Most distressing of all, some may be
carrying out attacks on other systems. The older variety of those
involved flooding distant machines with either normal or deliberately
malformed network traffic (ping, ping of death, smurf, SYN flooding,
teardrop, land, bonk), as a denial of service (DoS) attack. Then
starting last year, the more-organized DDoS tools (trinoo, Tribal Flood
Network, stacheldraht, Trank, and so on) came to sudden public
attention when they were used to overwhelm popular Internet sites. The
third-party, subverted machines (zombies) used to carry out those
attacks appear to have been university machines, favored for their lax
security and high Internet bandwidth, but your Linux hosts could be the
attackers' next tools.

Even if your machines don't cause you that order of embarrassment, the
other risks are equally grim: you can reveal confidential data with
business and/or personal consequences, lose that data entirely, see it
corrupted or sabotaged, be involved in wrongful or even criminal
activity, lose access to your computing resources, and indirectly cause
harm to your staff and business associates. Your Website can be defaced
or modified, or visitors might be redirected by sabotaged company DNS
servers to entirely different sites.

What would the Master Control Program do?
As Ozancin pointed out, to prevent, detect, and recover from such
attacks, your first step is to spend some time thinking like an
attacker. Spend some time exploring your network with Nessus, nmap2,
and Firewalk, discovering its vulnerabilities as if you were an
outsider peeking in. Set John the Ripper loose on your password files
to discover any trivial-to-break passwords with which your users are
damaging your security posture. Subscribe to the security-alert mailing
list for

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine