How do rootkits get installed on to a ubuntu server?
I've seen a few posts on checking for rootkits but haven't been able to find any information on how they get onto a linux system. In particular if you exploit a bug in a php web site (yes I'm talking about drupageddon here) is it possible to install a rootkit even though you can only run as the web-server (www-data) and not as root. The very little information I've found about how these are installed suggests you have to be root to install them (see here).
Solution 1:
If it was me I would persue the following method:
- Get a user to download and install a piece of software (#1). Have that software install the intended software. Hide a binairy blob inside that application lets you download software (ie. a tool you can use to ftp, wget etc).
- Prompt for the admin account (#2) and use that to use an ftp, wget instance to download and install the rootkit.
Regarding #1: a user should never download random software when using Linux; use the appropriate channels (Ubuntu Software Center) to install software. If it is software that needs to be downloaded outside the appropriate channels make sure the source of the download can be trusted. Think latest versions of Apache software or MySQL. Do not go around downloading random software without checking out different social media about the integrity of that application. Microsoft never centralized software; it resulted in lots of people dabbling with software so their user base is hugh, but that also made it easy to get into computers and start gathering data they can sell.
Regarding #2: fatal user flaw. Never ever ever ever type in your admin password unless you know why it is asked.
Solution 2:
Yes, in general root permission are required to install a rootkit. Many of the rootkits contain a module that is loaded into the kernel, other just overwrite tool typically used by root. In a properly set and perfect system there would be no way to install the root kit without root privileges, but...
...there might be problems with the system configuration making the system unsafe. ...there might be security bugs that allow a privilege elevation ...there might be ways to trick a user with root permissions to run something evil.
The ways are as unlimited as the imagination of the intruder.