Defending against
Traditional RootKits
¨don’t let attacker get root in the first place
–Use difficult to guess passwords
–Apply patches
–Close unused ports
¨File integrity checkers
–Create a read-only database of cryptographic hashes for critical system files, store these off line, and regularly compare hashes of the active programs to the stored hashes looking for changes
–Tripwire http://ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire
–Sun’s Solaris Fingerprint Database containing hases of critical Solaris executables http://sunsolve.Sun.com/pub-cgi/show.pl?target=content/content7
–
¨