Case Studies

The following stories are all true. In the first case, the names and a few details have been changed to protect people’s jobs. The second and third stories are based on actual cases that took place at Vineyard.NET, an Internet Service Provider that is partly owned by one of the authors.

Rootkit

Late one night, a part-time computer consultant at a Seattle-based firm logged into one of the computers that he occasionally used. The system seemed sluggish, so he ran the top command to get an idea of what was slowing the system. The consultant noticed that a program called vs was consuming a large amount of system resources. The program was running as superuser.

Something didn’t look right. To get more information, the consultant ran the ps command. That’s when things got stranger still—the mysterious program didn’t appear when ps was run. So the consultant used the top command again, and, sure enough, the vs program was still running.

The consultant suspected a break-in. He started looking around the filesystem using the Emacs dired command and found the vs program in a directory called /var/.e. That certainly didn’t look right—why was a program running in a hidden directory on the /var/ partition? So the consultant went to his shell window, did a chdir( ) to the /var directory, and then did a ls -a. But the ls program didn’t show the directory /var/.e. Nevertheless, the program was definitely there: it was still visible from the Emacs dired command.

The consultant was now ...

Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.