"rootkit"

Definition: rootkit: The name for a kit of hacker utilities placed on a UNIX machine after a successful compromise. A typical rootkit includes: password sniffer log cleaners replacement binaries for common programs on the system (e.g. inetd) backdoor programs replacements to programs like ls and find so that they will not reveal the presence of the rootkit files. Key point: A rootkit contains many trojaned programs. These programs are used to allow the hacker entry back into the system and to hide the presence of the hacker. For example, a trojaned "ps" command might hide the hacker's sniffer daemon from appearing in the process list. Alternatively, the hacker might trojan an existing daemon like inetd to run a background sniffer. Key point: The most important trojaned programs are those that deal with gaining access back into the system with a special password. Therefore, trojaned versions of login daemon, su, or telnetd are needed. Key point: Rootkits often contain setuid programs that normal users can run in order to elevate their privileges to root. Look for these in order to see if your system has been hacked. Culture: Also called "daemon kits". Example: The "t0rn" kit, including utilities like "t0rnsniff" and replacement binaries. In 2001, this kit was included as part of several Linux worms. From Hacking-Lexicon

* Linux/Unix/Computing Glossary