Basics 1: The Intruder's Goal
What's the major goal for a UNIX intruder? Why would he or she concentrate so much effort on a small machine left in a cornera machine with no information whatsoever? It seems to defy common sense! You're looking at a half-dozen contaminated machines that seem to really like this one dinky box with no known owner.
"This must be an amateur" is a common comment, but you know otherwise: UNIX intruders love root. Root is the superuser. Root is the meaning of life. Root is the entire goal for an intruder. Many intruders skip really vital information to gain root itself. Gaining root on a box, any box, is the end goal.
Why? Root is the Rosetta Stone. Gain root on one box, and soon the whole UNIX environment unravels, as we'll see in later articles in this series. As root, maybe you'll find embedded passwords in scripts, now rendered readable to the mighty root. Maybe the company is stupid enough to trust rsh and rlogin, themselves rooted only in trusting IP addresses and client-supplied user IDs.
Root across the enterprise is an initial goal for those who want more: instantaneous access throughout the network. And this clown got it, on an unpatched box full of holes, but trusted by the remainder of the environment. Imagine living in a million-dollar subdivision that's located next to an abandoned house, just waiting to become a crackhouse. Would you trust just anyone in the environment? Yet many companies have a similar setting with their UNIX trust relationships, and this explains how one box is a portal to greater things. When reviewing odd settings on a system, when you're trying to determine whether these are part of an intrusion, determine how those settings might help gain root or allow another root user to gain root. Suspect something more than an honest mistake.