There’s a rootkit in the closet

There’s something that puzzles me. The author found a rootkit and saw that it was integrated very deeply in the system. Yet he tried to fix the system <i>from within</i>!<p>Only after some failed attempts to download and install a new kernel, he finally did the Right Thing and shut down the server to analyze the hard disk from outside.<p>To everyone who encounters such a rootkit, I strongly recommend to <i>skip this second step</i>. If you see such a deeply integrated rootkit, shut down the computer immediately! <i>No fiddling!</i> Then, take out the hard disk and copy and analyze it as described in the article.<p>Otherwise, you’d enable the rootkit to hide its traces, and to maybe destroy some data. You don’t learn anything from that fiddling. Satisfy your curiosity only <i>after perpetuating evidence</i>! (i.e. after copying the hard disk’s data)

Upvoted both for the content and expository writing style. He did a nice job not just of solving the problem but also showing how he did it.

If this style of interception becomes popular, it seems to argue for a statically linked busybox or similar that uses syscalls directly.

It's often said that privilege escalation under Linux is very easy. Why is Linux so insecure in this aspect?<p>Why does OpenBSD not suffer from local root exploits?