LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-25-2007, 03:46 PM   #1
Axaline
LQ Newbie
 
Registered: Oct 2007
Posts: 2

Rep: Reputation: 0
Exclamation Help Me!! Rootkit


Hello and thank you for taking a look on my problem.
I have been fighting with a very vicious virus under win xp for months, it seemed to have taken control of my computer and was using it as a server.
I gave up my hard discs, xp and bought a new hard disc and installed linux suse. All fresh start. But here we go, problems begin again, all the same and my biggest surprise is my user and administration panel, full packed with users: Daemon, www daemon apache,nobody, etc...
This is insane, I tried to instal rkhunter but do not seem to manage to find how, I am new to linux which does not help, but good enough to see that something uses my computer.
I have taken some picture of my system with the users window open, I do not know how to attach them here.
I do not know what to say, I am having a nervous breakdown, please help me getting rid of it....
 
Old 10-25-2007, 04:04 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
You're probably fine. There are a lot of users created in linux depending on what was installed. These users are "system" users and are used to keep other processes (like an apache webserver, for example) from running unauthorized commands. That's a security feature of linux. Now, that's not to say you don't have a rootkit, but I'd be surprised on a new install.

Here's a list of common system users. It's a bit dated, but should help answer some of your questions.
 
Old 10-25-2007, 04:06 PM   #3
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
It is not clear what you are saying or what question(s) you are asking.

When you say that you "see that something uses my computer", what do you mean?

You can upload your screenshots to a service like ImageShack and link to them (I'm not sure if you need to make a certain amount of posts before you can submit links - maybe).

For what purpose are you using he computer? If there are services which are running which you do not need we can help you to work out which ones may be shut off and how to do it, but we are not mind readers so there will be some dialogue first to work out what you need and what you don't.

If what you are looking for is a general security hardening / lockdown guide, you might want to have a look at this link.
 
Old 10-25-2007, 04:14 PM   #4
teabag_46
Member
 
Registered: Aug 2007
Posts: 35

Rep: Reputation: 15
Axaline, I wouldn't worry too much, the things you mention are supposed to be there (assuming you clicked 'zzz install everything' when you installed SuSe)

As far as Rootkithunter goes, I don't know if an RPM is available, but i there is, then try installing with yast.
If not, then you will have to try the tar file. There are instructions for installing included when you 'untar' the file.
 
Old 10-25-2007, 05:15 PM   #5
Axaline
LQ Newbie
 
Registered: Oct 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Hi, thanks for helping.
Yes you are right, I have not been very clear, I am fairly stressed...I use it for my business that is why I do not want to lose everything I worked on. I literally only use the internet for emails.

I had a look on your links and yes it is true there are lots of users under linux, my mistake. What happens is that the virus I had under windows was resistant to my formats, was disabling my antivirus and stopping my set ups. And today after installing Suse I wanted to install Rkhunter and it kept giving me error messages.

I probably got a bit paranoid, but that concerns me. And another problem is that I can not upload attachments to my emails and I am not using any proxy...

Do you reckon you could help me installing Rkhunter and scan my system?

Cheers
 
Old 10-25-2007, 06:30 PM   #6
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,085

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Relax, a little bit.
I'm a "normal" user, well maybe a bit geeky, but I've been running linux (on three different networks / places) for 3-5 years now (emails & web browsing, not runing any kind of servers for apache, http, ftp, mail, or whatever)
Linux just works for me (and my [family & colleague] users: email & web-browsing).
Linux security is pretty tight. It's built that way. Just use it, especially if you are just sending / receiving emails and using the web for browsing. I do not think you have anything to fear.
I have not "scanned my system" in years. I do keep an eye out for the traffic light on my modem /router - there is nothing I would not expect. So, it's working. Just squeaky-clean fine.

This is one of the delights of running linux: It does the job. Sometimes it's a bit slow and "clunky" and awkward, but I'll happily put up with that for the peace of mind. I'm running / administering 7 PCs at three different locations, with idiots at most of them. They are happy: No viruses, no popups, no trojans, no mischief at all. No "HELP" calls to me since I got them off windows (and, truth be told, they haven't noticed the difference, for what they use the internet for).

I haven't installed rkhunters at any sites (but they are not offering services to the web, just using the www and email)

You might need to use rkhunter if you are running a website that is offering connections to the world, I think you are not.

So relax (but do not be stupid and submit your bank or paypal details) and enjoy the www as it should be

Get back here if you have further concerns, but compared to windows, linux is very reliable, and viruses and whatnot are not of any concern.

Enjoy!
 
Old 10-25-2007, 06:34 PM   #7
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
I don't know much about opensuse, but try opening a program called YAST (which I think is Suse's package manager). Then search Yast for rkhunter and install it from the repositories. This should take care of dependencies. If it doesn't work, try posting what exactly the error is and maybe someone here can help you find it.

Also, Windows viruses don't work on linux.

Last edited by pljvaldez; 10-25-2007 at 06:37 PM.
 
Old 10-26-2007, 02:02 AM   #8
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
Arrow

I think with SuSE you need to go through a normal migration process - evaluate your requirements systematically:
  • make a list of services which were being used on your old machine
  • make a list of client programs which will access the server
  • make a list of data which need to be transferred from the old system
  • decide if you need professional support

Then you need to go through each list and see if it is possible to implement these things under Linux. We can help you there. For some things there may be drop-in replacements such as IMAP email servers, FTP servers, SMB file servers.

For some things not - if you use MSSQL and need some feature which is particular to that product, there will be some changes you will need to do. Depending on what these things are it could be a deal breaker.

Find out if you can do it before you try it.

After that there's the how, and given that you are new to Linux this may take a lot of your time and there will be a learning curve to navigate. Again, forums like this can help with the how, but you must make your questions specific and provide a lot of details. A question like "How do I migrate my exchange server too linux" is far too general.

Understand that this process will take time. If you cannot spare the time to tinker with the server, you may want to consider hiring a consultant to help you plan and execute the migration. This will cost money, but if handling this tech issue is stopping you do other business, it might be cost effective. I do understand this may not be an option, but it's worth mentioning.

Quote:
Originally Posted by Axaline View Post
What happens is that the virus I had under windows was resistant to my formats, was disabling my antivirus and stopping my set ups.
Well that's odd - the surviving of formatting. To me the most likely explanation seems that your system is getting re-infected by another machine on your network. When you do an installation after a malware infestation, you should be doing that installation without the machine being connected to your original network. You will have to get some network connectivity to download OS updates and virus definitions - you should do this on an isolated connection - a domestic DSL connection behind a NAT router (with conservative firewall settings) is OK, but not on the original network you were using.

There is a slim possibility your virus infestation was a very exotic kind which hides in the firmware of some device on the system, but I think this is unlikely. I don't work in the security field, but I keep up with a few of the hacker and security podcasts - I've heard mention of a few proof-of-concept malwares which can do this, but I didn't hear of them in the wild.

It also sounds as though your understanding of what the virus was and did is imprecise. If it is a known virus, try reading up and understanding what it does - this may help you understand what effects it caused, and maybe that some of the effects were caused by other things - bad configuration, hardware faults and so on.

Quote:
Originally Posted by Axaline View Post
And today after installing Suse I wanted to install Rkhunter and it kept giving me error messages.
Software installation in SuSE is done through the YaST tool. At least it was a few years ago when I last used SuSE. Like most Linux distros, SuSE maintains large software "repositories", containing thousands of softwares which can be downloaded and installed through an integrated tool. YaST is SuSE's system "control panel", and one of the items in it is a software installed. Inside this there should be an option to search for programs, and when you find what you want you can select and install it.

Installing software this way (rather than downloading files from the net and installing them without the package manager), is a very good thing for security and maintainability. Security updates will come automatically for all software which is installed through the package manager. There is often some automatic setup done too, and the package manager tries to make sure that programs do not conflict with one another (e.g. by over-writing each other's files).

Quote:
Originally Posted by Axaline View Post
I probably got a bit paranoid, but that concerns me. And another problem is that I can not upload attachments to my emails and I am not using any proxy...
A little paranoia is a good thing in the computing world at the moment, but don't let it make you act in a rash manner. You must be systematic and deliberate.

Here's a piece of platinum advice which might sound obvious, but far too few people follow it: Get a clean note pad and write down everything you do to your machine.

Yes, a paper notepad, not a file on your server. When you install a package, write it down. When you edit a config file, write it down. When you change a firewall rule, write it down.

Write down both what youo tried to do, and how you did it. This will be very very useful if things go bad at some point in the future - especially if they go wrong in the middle of the night when you are tool sleepy to think well.

Quote:
Originally Posted by Axaline View Post
Do you reckon you could help me installing Rkhunter and scan my system?

Cheers
I hope a SuSE user can provide you some detailed instructions.

Last edited by matthewg42; 10-26-2007 at 02:03 AM.
 
Old 10-26-2007, 03:42 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Axaline View Post
today after installing Suse I wanted to install Rkhunter and it kept giving me error messages.
Talking about error messages doesn't work, you'll have to read the README, FAQ and man page and if that doesn't help post the errors. Also Rootkit Hunter has a user mailinglist you can find at Sourceforge (subscribe before posting please). Also Rootkit Hunter contains a .spec file, so you should be able to build the RPM with 'rpmbuild -tb rkhunter-1.3.0.tar.gz' (or distro equiv.).

If you find your brand new O.S. installation is getting tainted while you're working on it I would suggest nuking the HD's first with something like DBAN, then do a minimal O.S. install on that cleaned disk w/o network access and hardening it properly before putting it on the 'net. (With "minimal" I mean you don't install services and applications you don't need immediately especially anything that serves files or mounts or allows users access to the box). If you need more info on hardening please read / post in the Linux Security forum as that's what its for.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
where can I get rootkit ?? iamthewind Linux - Security 21 05-04-2008 02:57 PM
rootkit hunter fakie_flip Linux - Software 1 10-20-2007 03:41 PM
rootkit? basilogics Linux - Software 2 08-19-2005 09:16 AM
Possible rootkit? bleunuit Linux - Security 4 05-18-2005 04:21 PM
rootkit? linuxtesting2 Linux - Security 3 12-06-2004 09:43 AM


All times are GMT -5. The time now is 02:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration