LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-15-2010, 02:54 AM   #1
qrange
Member
 
Registered: Jul 2006
Location: Belgrade, Serbia
Distribution: Debian
Posts: 692

Rep: Reputation: 28
detecting rootkits, hash


I'm using Debian stable. what software would you reccomend for detecting rootkits? is there a liveCD distro specialized for that?

Is there some kind of database of md5 hashes and filesizes for kernel and other executables?
I presume .deb packages have hashes in repositories, but what about individual files?
 
Old 09-15-2010, 03:16 AM   #2
High-gain
Member
 
Registered: Dec 2004
Location: London,UK
Distribution: Mandriva 2007
Posts: 156

Rep: Reputation: 15
Hi Grange -

Like yourself was uncertain on what to use
to check for rootkits.

But had some great advice from 'uSpawn' (moderator)

Try #'rkhunter' - I found it very easy to setup, although
I did get help from the moderator as I am a newbie to Linux.

Don't forget to read the 'README' file first, which will
explain a lot on howto set it up.

If you 'google' it then you will find lots of info there.
 
Old 09-15-2010, 12:05 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Quote:
Originally Posted by qrange View Post
I'm using Debian stable. what software would you recommend for detecting rootkits? is there a liveCD distro specialized for that?
Traditional rootkit incidents (I know of) have declined over the past five years to near zero. For most rootkit "detection" amounts to running (passive) post-incident checks while (or due to) leaving pre-incident measures (hardening, auditing) out. Running Chkrootkit, Samhain, Rootkit Hunter or Aide is no substitute for proper host and service hardening. Also note you should never run one tool but correlate findings running as much tools as deemed necessary. Also note using verified safe copies of file integrity or package management databases means they have to be verified and backed up prior to an incident to be trusted. Since traditional rootkit components tend to subvert the kernel the best way indeed is running a Live CD to try and detect any changes in the filesystem. While I haven't checked them personally you may find tools on HELIX and KNOPPIX-STD. For more check http://www.livecdlist.com/purpose/forensics and http://www.livecdlist.com/purpose/security.


Quote:
Originally Posted by qrange View Post
Is there some kind of database of md5 hashes and filesizes for kernel and other executables? I presume .deb packages have hashes in repositories, but what about individual files?
Debian 'debsigs --verify' appears to be a joke ("not implemented") and finding 'debsig-verify /path/package.deb' return "deb not signed" one wonders what policies the Vendor actually enforces. That leaves you with 'debsums'. Chicken-and-egg problem there is you are forced to (re-)generate hashes for files debsums doesn't know about. That in essence can only be done on a machine you can trust completely (meaning OS installed but not yet exposed to any network or local users).


BTW is there a reason why you're asking about rootkit detection?
 
1 members found this post helpful.
Old 09-15-2010, 03:17 PM   #4
moxieman99
Member
 
Registered: Feb 2004
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 407

Rep: Reputation: 78
UnSpawn wrote:
Traditional rootkit incidents (I know of) have declined over the past five years to near zero.

--------------------
Experience question, not a security question:

Why do you think rootkit incidents have declined? People getting better about administration? Hackers giving up on linux and concentrating on Windows? Kernel getting tighter?
 
Old 09-15-2010, 04:45 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Quote:
Originally Posted by moxieman99 View Post
People getting better about administration?
Linux hosting with a web panel is marketed as a cheap solution and for a lot of users who have no experience at all cheap is all that matters. They don't know and they don't care. (Not that having 15 years of "admin" experience makes one knowledgeable as we have seen here recently.) So. Given the cornucopia of problems you can find on the 'net within a five minute search radius, ranging from simply exposing unnecessary information to owners not knowing they're owned to sites carrying malware for other platforms to machines with a compromised web stack I'd say hell no.


Quote:
Originally Posted by moxieman99 View Post
Hackers giving up on linux and concentrating on Windows?
Generally speaking most of the time such a comparison is made in favour of Linux I instantly lose interest. The mcrsft - malware symbiosis (in terms of profit) is a completely different ecology. I'd rather focus on what harm might come our way instead.


Quote:
Originally Posted by moxieman99 View Post
Kernel getting tighter?
In terms of the LKMs not exporting certain symbols definitely helped. Doesn't mean our worrying days are over.
 
1 members found this post helpful.
Old 09-16-2010, 05:47 AM   #6
qrange
Member
 
Registered: Jul 2006
Location: Belgrade, Serbia
Distribution: Debian
Posts: 692

Original Poster
Rep: Reputation: 28
Quote:
Originally Posted by unSpawn View Post
BTW is there a reason why you're asking about rootkit detection?
yes, well I'm suspecting something strange with my Debian stable. dunno, could be just paranoia.. also I heard bios could be hacked too and there is unusual delay before GRUB starts loading.
I have problems with network default gateway route, but thats in other thread.
anyway, I'll try your suggestions, for 'peace of mind'.
thanks.
 
  


Reply

Tags
database, hash, md5, rootkits


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
need help unpacking hmac-md5 hash into md5 hash lynx5 Programming 3 02-02-2008 04:06 PM
LXer: Linux Detecting Rootkits LXer Syndicated Linux News 0 01-28-2008 08:30 AM
LXer: Various ways of detecting rootkits in GNU/Linux LXer Syndicated Linux News 0 12-18-2006 03:21 AM
Using hash value as key for other hash in Perl scuzzman Programming 6 02-14-2006 05:08 PM
What are some symptoms of rootkits? pdeman2 General 7 01-02-2006 03:44 AM


All times are GMT -5. The time now is 11:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration