[olug] example intrusion detection

[Dave Hull]

Quoting Eric Pierce <eric_olug at yahoo.com>:

> What is a rootkit comprised of?  It sounds like it is some kind of package
> that has modified binaries (like 'ps' and 'top' in your case).
>
> Or do they go further than that and have scripts that are run to wipe out log
> files, etc.?

There are different rootkits that do different things depending on what the
creator wanted them to do, but all the ones I've seen include rogue binaries to
replace legit system commands most commonly ps, top, ls, netstat and the like.

> Is that what a script kiddie is; someone who gains access to a
> system and runs a simple script to "set-up" the computer so they won't be
> detected easily (w/o really knowing what they are actually doing)?

You hit the nail on the head, "w/o really knowing what they are actually doing".

"Script-kiddie" is a derogatory term for a cracker who doesn't really know what
he is doing, but uses the tools developed by more knowledgeable people.
Script-kiddies do far more damage, IMO, than those who really know what they
are doing, but those who really have the know-how are acting as enablers.

--
Dave Hull
http://insipid.com