Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using Debian stable. what software would you reccomend for detecting rootkits? is there a liveCD distro specialized for that?
Is there some kind of database of md5 hashes and filesizes for kernel and other executables?
I presume .deb packages have hashes in repositories, but what about individual files?
I'm using Debian stable. what software would you recommend for detecting rootkits? is there a liveCD distro specialized for that?
Traditional rootkit incidents (I know of) have declined over the past five years to near zero. For most rootkit "detection" amounts to running (passive) post-incident checks while (or due to) leaving pre-incident measures (hardening, auditing) out. Running Chkrootkit, Samhain, Rootkit Hunter or Aide is no substitute for proper host and service hardening. Also note you should never run one tool but correlate findings running as much tools as deemed necessary. Also note using verified safe copies of file integrity or package management databases means they have to be verified and backed up prior to an incident to be trusted. Since traditional rootkit components tend to subvert the kernel the best way indeed is running a Live CD to try and detect any changes in the filesystem. While I haven't checked them personally you may find tools on HELIX and KNOPPIX-STD. For more check http://www.livecdlist.com/purpose/forensics and http://www.livecdlist.com/purpose/security.
Quote:
Originally Posted by qrange
Is there some kind of database of md5 hashes and filesizes for kernel and other executables? I presume .deb packages have hashes in repositories, but what about individual files?
Debian 'debsigs --verify' appears to be a joke ("not implemented") and finding 'debsig-verify /path/package.deb' return "deb not signed" one wonders what policies the Vendor actually enforces. That leaves you with 'debsums'. Chicken-and-egg problem there is you are forced to (re-)generate hashes for files debsums doesn't know about. That in essence can only be done on a machine you can trust completely (meaning OS installed but not yet exposed to any network or local users).
BTW is there a reason why you're asking about rootkit detection?
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 425
Rep:
UnSpawn wrote:
Traditional rootkit incidents (I know of) have declined over the past five years to near zero.
--------------------
Experience question, not a security question:
Why do you think rootkit incidents have declined? People getting better about administration? Hackers giving up on linux and concentrating on Windows? Kernel getting tighter?
Linux hosting with a web panel is marketed as a cheap solution and for a lot of users who have no experience at all cheap is all that matters. They don't know and they don't care. (Not that having 15 years of "admin" experience makes one knowledgeable as we have seen here recently.) So. Given the cornucopia of problems you can find on the 'net within a five minute search radius, ranging from simply exposing unnecessary information to owners not knowing they're owned to sites carrying malware for other platforms to machines with a compromised web stack I'd say hell no.
Quote:
Originally Posted by moxieman99
Hackers giving up on linux and concentrating on Windows?
Generally speaking most of the time such a comparison is made in favour of Linux I instantly lose interest. The mcrsft - malware symbiosis (in terms of profit) is a completely different ecology. I'd rather focus on what harm might come our way instead.
Quote:
Originally Posted by moxieman99
Kernel getting tighter?
In terms of the LKMs not exporting certain symbols definitely helped. Doesn't mean our worrying days are over.
BTW is there a reason why you're asking about rootkit detection?
yes, well I'm suspecting something strange with my Debian stable. dunno, could be just paranoia.. also I heard bios could be hacked too and there is unusual delay before GRUB starts loading.
I have problems with network default gateway route, but thats in other thread.
anyway, I'll try your suggestions, for 'peace of mind'.
thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.