During a server audit, a security administrator does not notice abnormal activity. However, a network security
analyst notices connections to unauthorized ports from outside the corporate network. Using specialized tools,
the network security analyst also notices hidden processes running. Which of the following has MOST likely
been installed on the server?
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer
network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by
exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to
mask intrusion and gain root or privileged access to the computer and, possibly, other machines on thenetwork.
A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a “backdoor”
into the system for the hacker’s use; alter log files; attack other machines on the network; and alter existing
system tools to escape detection.
The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux
operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are available
for a number of operating systems, including Windows, and are increasingly difficult to detect on any network.