Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Last month's "Tech Support" showed you how to monitor filesystem changes with Tripwire, a handy system utility that alerts you to all filesystem changes. Like SNORT and others, Tripwire's just one of many practical security measures that minds your system 24/7.
Another sentry tool is chkrootkit, a free utility that can detect rootkits, loadable kernel modules, worms, and other nefarious cracker tools. (A rootkit is a collection of tools used to mask intrusion, obtain administrator-level access and, install a backdoor on a target computer. A loadable kernel module, or LKM, is a piece of code that's loaded directly into the Linux kernel.) chkrootkit uses digital signatures to detect over fifty known rootkits and LKMs. It also uses some simple heuristics -- looking for hidden processes, hidden directories, and a few other simple checks -- to attempt to detect unknown kits.
chkrootkit is maintained by Nelson Murilo and is available from http://www.chkrootkit.org. After downloading the latest version of chkrootkit, verify the MD5 checksum, and unpack the tarball. Then type make sense in the build directory. After the build's complete, run the program by typing ./chkrootkit. You'll have to be root to run the chkrootkit tools.
By default, chkrootkit is quite verbose. You can use the -q flag to only output messages that indicate an "infection." Another useful flag is -p, which allows you to specify a path to the supplemental, external programs that chkrootkit uses. Running the external commands from a read-only media ensures that chkrootkit itself hasn't been tampered with.
Once you have everything working to your liking, run chkrootkit via cron using a command similar to...
Like any security program, the output of chkrootkit needs to be examined and interpreted to be useful. For example, chkrootkit may give output such as INFECTED (PORTS: 1999). While this may be a result of the Transcout backdoor, it may just be that a program that uses random ports greater than port 1023 is using the port.
Always a Good find
A few months back, "Tech Support" presented slocate as a replacement for the brute-force find /