Programs typically replaced
by RootKits
¨du : Does not include disk space used by attacker
¨find : Lies about presence of attacker’s files
¨ifconfig : Masks promiscuous mode
¨login : Contains backdoor root-level password for attacker
¨ls : Lies about presence of attacker’s files
¨netstat : Masks ports that are used by attacker
¨ps : Lies about any process attacker wishes to hide
¨inetd : modified to provide backdoor access
¨syslogd : does not log attacker’s actions
¨