Centerpiece of
Traditional RootKits on Unix:
/bin/login Replacement
Traditional RootKits on Unix:
/bin/login Replacement
¨/bin/login program invoked to authenticate user whenever user logs in locally via keyboard or remotely
(eg telnet )
¨A RootKit replaces /bin/login with a modified version that includes a backdoor password for root access
–Modified /bin/login is a backdoor since attacker still can get in even if the legitimate root password is changed
–Modified /bin/login is a Trojan horse because is appears
to be a normal login program
–Facilitates hiding from “who” by not recording login into wtmp and utmp files if backdoor password is used