LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Linux From Scratch
User Name
Password
Linux From Scratch This Forum is for the discussion of LFS.
LFS is a project that provides you with the steps necessary to build your own custom Linux system.

Notices

Reply
 
Search this Thread
Old 12-15-2012, 03:57 PM   #1
stoat
Member
 
Registered: May 2007
Distribution: LFS
Posts: 464

Rep: Reputation: 133Reputation: 133
An interesting LFS rootkit infection story...


It was originally posted in April of this year. I found it today while researching things for possibly installing rkhunter in BLFS. Anyway, the person is a long-time user of LFS in servers. One of his LFS systems got a rootkit while the firewall was temporarily down or modified for ssh access by remote maintenance personnel. He claims the malware failed to work and in fact gave itself away because it broke some things and couldn't run on his custom built LFS machine. Bruce Dubbs made some interesting replies...
http://archives.linuxfromscratch.org...il/042484.html
I have always used Tripwire in BLFS as suggested in the replies by Dubbs. It's scheduled in my fcrontab to scan every folder and file at noon everyday and mail the result to me. I'm now trying to decide if I would derive any benefit from adding rkhunter which I always ran in the mainline distros. I'm not yet sure that I would be any better off, and I did notice in the anecdote above that rkhunter did not detect the rootkit.
 
Old 12-15-2012, 05:45 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Quote:
Originally Posted by stoat View Post
He claims the malware failed to work and in fact gave itself away because it broke some things and couldn't run on his custom built LFS machine.
Throughout the conversation that claim remains completely unsubstantiated plus there's the usual blaming of lusers, the admin "not having any time" ("there was no time to install it": he meant Tripwire Open Source IIRC) and not having implemented anything to alert on reconnaissance or detect the breach in time ("the intrusion took place 5 days before").


Quote:
Originally Posted by stoat View Post
I have always used Tripwire (..)
It's better than running nothing.


Quote:
Originally Posted by stoat View Post
It's scheduled in my fcrontab to scan every folder and file at noon everyday and mail the result to me.
So basically at noon you open a 24 hour window, yes?


Quote:
Originally Posted by stoat View Post
I did notice in the anecdote above that rkhunter did not detect the rootkit.
Unsubstantiated as well. We don't know any "rootkit" details, the RKH version, how it was configured, when it ran and with what results.


Quote:
Originally Posted by stoat View Post
I'm now trying to decide if I would derive any benefit from adding rkhunter which I always ran in the mainline distros. I'm not yet sure that I would be any better off
What most don't realize is that Rootkit Hunter is a host-based, passive, post-incident, path-based tool, the README says it:
Quote:
Originally Posted by rkhunter/files/README
ROOTKIT HUNTER AS PART OF YOUR SECURITY STRATEGY
================================================

Rootkit Hunter is a host-based, passive, post-incident, path-based tool.

- Host-based means it only diagnoses the host you run it on.
- Passive means it has to be scheduled or run manually.
- Post-incident means it can only be effective when a breach of security
is suspected, is in progress or has already occurred. Due to the nature of
software that hides processes and files it may be beneficial to run Rootkit
Hunter from a bootable medium if a breach of security is suspected and the
machine can be booted from a bootable medium.
- Path-based means RKH will check for filenames. It does not include or use
heuristics or signatures like for instance an antivirus product could. Do
understand that the SCANROOTKITMODE configuration option and "suspscan"
functionality are just crude attempts to try and bridge that gap.


Rootkit Hunter is best deployed as part of your security strategy.

- Most breaches of security are preceded by reconnaissance. Regular system
and log file auditing provides the necessary "early warning" capabilities.
- RKH does not replace, or absolve you from performing, proper host hardening.
Common administration errors that may result in a breach of security includes
failing to apply updates when they are released, misconfiguration, lack of
access restrictions and lack of auditing.
Please see your distribution documentation and search the 'net.
- Do not rely on one tool or one class of tools. Consider installing same-
class tools like Chkrootkit or OSSEC-HIDS and consider overlap as a Good
Thing. Additionally it is suggested you install and use a separate filesystem
integrity scanner like Samhain, Aide, Integrit, Osiris (or even tripwire) to
provide you with a second opinion.
- Like with all data used for verifying integrity it is recommended to
regularly save a copy of your RKH data files off-site.
The same part holds clues as to what your security strategy should include. Let me know if, after reading it, something isn't clear to you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Interesting story on Apple viruses billymayday Other *NIX 11 02-03-2009 08:28 PM
suspend to disk ruined system :| read an interesting story alaios Linux - General 4 02-18-2006 12:30 PM
Interesting LFS Idea. Kodaxx Linux From Scratch 0 07-22-2004 02:18 AM
interesting if depressing story salparadise General 16 11-09-2003 05:04 PM
interesting LFS implementations? trub Linux From Scratch 3 02-14-2002 08:25 PM


All times are GMT -5. The time now is 12:53 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration