I'm using Debian stable. what software would you reccomend for detecting rootkits? is there a liveCD distro specialized for that?

Is there some kind of database of md5 hashes and filesizes for kernel and other executables?
I presume .deb packages have hashes in repositories, but what about individual files?

Hi Grange -

Like yourself was uncertain on what to use
to check for rootkits.

But had some great advice from 'uSpawn' (moderator)

Try #'rkhunter' - I found it very easy to setup, although
I did get help from the moderator as I am a newbie to Linux.

Don't forget to read the 'README' file first, which will
explain a lot on howto set it up.

If you 'google' it then you will find lots of info there.

Traditional rootkit incidents (I know of) have declined over the past five years to near zero. For most rootkit "detection" amounts to running (passive) post-incident checks while (or due to) leaving pre-incident measures (hardening, auditing) out. Running Chkrootkit, Samhain, Rootkit Hunter or Aide is no substitute for proper host and service hardening. Also note you should never run one tool but correlate findings running as much tools as deemed necessary. Also note using verified safe copies of file integrity or package management databases means they have to be verified and backed up prior to an incident to be trusted. Since traditional rootkit components tend to subvert the kernel the best way indeed is running a Live CD to try and detect any changes in the filesystem. While I haven't checked them personally you may find tools on HELIX and KNOPPIX-STD. For more check http://www.livecdlist.com/purpose/forensics and http://www.livecdlist.com/purpose/security.


Debian 'debsigs --verify' appears to be a joke ("not implemented") and finding 'debsig-verify /path/package.deb' return "deb not signed" one wonders what policies the Vendor actually enforces. That leaves you with 'debsums'. Chicken-and-egg problem there is you are forced to (re-)generate hashes for files debsums doesn't know about. That in essence can only be done on a machine you can trust completely (meaning OS installed but not yet exposed to any network or local users).


BTW is there a reason why you're asking about rootkit detection?

1 members found this post helpful.

UnSpawn wrote:
Traditional rootkit incidents (I know of) have declined over the past five years to near zero.

--------------------
Experience question, not a security question:

Why do you think rootkit incidents have declined? People getting better about administration? Hackers giving up on linux and concentrating on Windows? Kernel getting tighter?

Linux hosting with a web panel is marketed as a cheap solution and for a lot of users who have no experience at all cheap is all that matters. They don't know and they don't care. (Not that having 15 years of "admin" experience makes one knowledgeable as we have seen here recently.) So. Given the cornucopia of problems you can find on the 'net within a five minute search radius, ranging from simply exposing unnecessary information to owners not knowing they're owned to sites carrying malware for other platforms to machines with a compromised web stack I'd say hell no.


Generally speaking most of the time such a comparison is made in favour of Linux I instantly lose interest. The mcrsft - malware symbiosis (in terms of profit) is a completely different ecology. I'd rather focus on what harm might come our way instead.


In terms of the LKMs not exporting certain symbols definitely helped. Doesn't mean our worrying days are over.

1 members found this post helpful.

yes, well I'm suspecting something strange with my Debian stable. dunno, could be just paranoia.. also I heard bios could be hacked too and there is unusual delay before GRUB starts loading.
I have problems with network default gateway route, but thats in other thread.
anyway, I'll try your suggestions, for 'peace of mind'.
thanks.