Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    how can i get infected by a rootkit

    hi all, a very general question:

    hello, lets say i am on my user account (ie, non-root) on computer with linux. how can i get infected by a rootkit? there are so many tutorials out there on rootkit detection/prevention/removal but i don't really know specifically how a computer can get infected by a rootkit.

    one way i can get infected with rootkits is some exploit letting the attacker open up a shell on my computer (with root access?) and install the rootkits on my computer.

    if i am not running as root, how can rootkits that target the kernel successfully attack my computer? lets say i execute some application that is a trojan horse, can my kernel be compromised?

    i am wondering how can something i don't have permission to write to (eg, kernel) when i am not running as root be compromised. One way i could find out is to infect my own computer with one but i rather not go there.


  2. #2
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008

    in a perfect world, an intruder who has gained non-privileged shell access could not install anything running with root or kernel rights.

    But any non-trivial real-world software has bugs, some of them making it possible to to slip through the security layer. For example, if there is a program that is imperfect but is installed with setuid rights by root, then every time this program does a mistake it does that mistake with root rights.

    Another possible attack was to install a program that "observes" the user, for example the text he enters into the keyboard. It wouldn't need root rights to do so. The next time this observed person types in the root password, the spy gained it too.

    For these reason I have a lemma: Every successful attack that resulted in a compromised user account equals a completely compromised system. Therefore the line of defense can only be placed in front of it.
    Debian GNU/Linux -- You know you want it.

  3. #3


    hello! thank you for your quick reply! i didn't really know what is setuid before this.
    Interesting lemma. I agree that in the non-ideal world, your lemma would be the 'best-fix'.

  4. $spacer_open
  5. #4
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    Your are welcome.

    Btw, there is a book that features such a scenario, describing how human mistakes and convenience make such attacks possible from a server administrator's perspective. It is a recommended read and I enjoyed reading it a lot.

    The Cuckoo's Egg)
    Debian GNU/Linux -- You know you want it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts