several questions about viruses on linux
 

Hi,
I am asking if there is a virus on my machine how to detect it.
the command ps aux gives all running processes, all really all? or it may be a hidden process running on background.
Until now, I considered that a virus doen't affect a system if you work as simple user,
and can't damage system without root permission, am I right, or virus can get root privileges ??
another thing on linux, the program can't run if it not executable, it must have the "x" permission, if we copy a file normally it looses the x permission.
This is what I believe up now, am I right??
thanks for help
bela

basically.. virus is a made of script-kiddie, designed to destroy data. or do some other very stupid things.
backdoors/trojans are a gateways into your system for some more mature guys, probably hunting for your data or just your system resources(network channel, CPU).
but what you are looking for is rootkits.
rootkits can hide own/desired processes, files, directories and other objects. google for linux rootkits. i'm sure you will find all the answers you need.

Script kiddies aren't usually bright enough to create viruses on their own. Viruses are normally created by the more intelligent of the darkside. Script kiddies tend to 'borrow' technology from their more intelligent counterparts.

Conficker is a virus (been using the Conficker example in my last few posts). It doesn't care who is on the other end. Viruses usually affect systems with code vulnerabilites (Blaster/Sasser), or buffer overflows, or a combination. What makes viruses successful at infection is the fact that they need to be executed with system and/or admin/root privileges. Normally, a normal user account won't be sufficient to hose a whole system...the compromise needs system-level privileges to take control of system processes. Normal users normally have limited privileges. Viruses propagate on their own.

Trojans and other malware also work in a similar manner but usually use user stupidity/ignorance to gain access. They can also be transferred manually to an already compromised machine. SubSeven and BackOrifice are trojans that rely on a malicious user sending the trojan to an unsuspecting individual. The trojan may be named "funny.exe". The receiver double-clicks the file (and may well be doing it using an Admin account) and activates the trojan. The trojan can keylog or look for activation/registration codes. It can gather credit card info or log personal information. It can turn the compromised machine into a bot and have it join a botnet. Trojans propagate normally via social engineering, but can be manually installed (once the malicious user has a proper way into the system...bruteforcing accounts, for example).

I often hear Unix supporters claim that Unix systems "can't get viruses" like Windows does because of something inherently different between the two. While I agree that Windows is more prone to viruses because of its market share and fundamentally different set of vulnerabilities, I don't believe this makes Unix systems any less capable of contracting and spreading viruses. Perhaps they are referring to something more specific? Could anyone shed some light on this?

Windows has in the past been configured "out of the box" to be more insecure than Unix/Linux. That is, by default many more things are set to an insecure setting than is the case in U/L. A knowledgeable administrator can make Windows as secure as U/L, but has to change many settings to do so. An untrained newbie can make U/L as insecure as Windows, but has to change many settings to do so.

Thankfully, Windows is becoming more secure out of the box. But as a result of it's unsecure reputation and broad market share, many more attacks (virii, trojans, malware, etc.) have been specifically written for the Windows platform than have been written for the U/L platforms, and most of those written for Windows will simply not run on U/L (unless Windows code has been introduced into U/L via WINE or some similar program).

If you set up two identical servers, one running the latest version of Windows server using default settings and the other running the latest version of any major distribution of Unix or Linux, using default settings, both will hit by attacks, and both will likely succumb. But the Windows server will be hit by more attacks, and a greater variation of attacks, than the Unix/Linux server.

Out of curiosity what are some of these things?

I know that Windows didn't have the ring structure that Unix uses implemented very well until recently: admin, user, guests.

If you know of anything off the top of your head or can refer me to something that XP, Vista, or Win7 is lacking in comparison to standard Unix distros that would be great.

How about Vice-versa? Is malware written for Linux easily compatible with Windows? I would think not.

Here's an article on the subject:

Linux vs. Windows: Which Is Most Secure?
By Kenneth van Wyk, eSecurityPlanet.com
http://www.esecurityplanet.com/views...ost-Secure.htm

He also compared Windows to Mac, and Mac to Linux.

The Linux version of a Windows virus is an malicious LKM trojan. (Loadable Kernel Module) An attacker needs to exploit a service to gain root access and then replace one of your kernel modules with his own version. Also, if an attacker gets root access, he will replace utilities such as ps and top to try to conceal his own processes.

One defense used for servers is to compile a flat kernel that doesn't have LKM support.

You can use rkhunter and chkrootkit to try to detect the presence of a root kit. Even more important, these programs check for security issues that could lead to a compromise. There is also Aide, which performs an md5sum on important system files. It is best performed after a clean install with the database saved on write-once media such as a CDROM.

You can do the same thing yourself manually, and compare the files in /lib/modules/, /bin/, /sbin/ and /usr/sbin/ with newly computed results. For maximum assurance, do so with the filesystem off-line, from a live CD.

Most importantly, use a new version of Fedora. Your Red Hat 7.3 is ancient. Apply security updates promptly and don't disable SELinux protection.

Just to build on these points, part of the reason isn't the ring/security structure (NT actually has a finer-grained and more comprehensive ACL and security setup than most Unix implementations) it's the way the systems are used.

Unix is just far older. Most of the good tricks to secure a Unix system have been well known for longer than Windows has existed. Some of these have had to be re-learned in the Linux era (since Linux isn't actually a Unix port, it's a reimplementation from scratch). Some of these have even been abandoned outside of 'production' environments entirely because users are lazy.

Here's a few things that can help armor a Unix system:
1) A properly configured system has /usr, /boot, and sometimes even /etc mounted read only. The only way to update or change files here is to unmount and remount the volumes... as root, of course. Yes, that means every time you install a (well-tested) update.
2) No user has root escalation except for a tiny subset of admin users - and those users are heavily audited.
3) Jails are used to prevent processes from 'climbing' the tree and accessing files they shouldn't be allowed to access.
4) No processes run as root if it can possibly be prevented (some things require root - but it's a super short list).
5) Surface area reduction is done by removing all extraneous daemons (services), executables, users, and components. A properly configured Unix box should never answer on any port except for the ones it is intentionally hosting (http/db/ssh/nfs, etc).
6) All user processes run as the owner, and the owner has rights to essentially nothing outside of their home share and possibly a 'group' share.
7) Everything is audited and tracked, and alerts are generated.


Things like this are inconvenient under a desktop Linux, but there are guides to help any user do this. It doesn't require any really specialized knowledge, just care.
http://www.debian.org/doc/manuals/se...-debian-howto/
http://security.freebsd.org/

For what it's worth, Windows servers can be (and often are) likewise hardened. It's the desktops that are often the problem.
http://www.nsa.gov/ia/guidance/secur...html#microsoft

The thing is, most people running Linux just install everything into one giant partition, don't encrypt swap, give their passwords to everything that prompts for it, browse the web (with Flash enabled) as high priv users, and generally just make a mess of things. This same behavior under OSX and Windows leads to their relative 'virus prone' states. In this mode, Linux and OSX are only slightly harder to penetrate than Windows 7/Vista, and easier than XP only if you use a default admin user. The inherent safeguards have all been removed in the name of expedience.

<edit> One thing worth noting though - using a 'pluggable' kernel model (like LKM, mentioned by the prev poster) also opens some holes. It's why the BSD guides often recommend disabling this feature. I don't think that's even possible under Windows </edit>

If you care to take time, any OS can be made reasonably secure.

That's probably a slight misquote/mis-hear. U/L systems can't get MS(!) viruses, because MS binary executables won't run under Linux (unless inside eg Wine or eg VMWare) due to a completely different definition of what a binary executable looks like in Linux.
Something like 99% of the viruses in the wild are MS specific.

I don't remember the OP saying that *nix systems can get viruses designed for MS OSs. I read what he posted differently.

My answer to the OP would probably be that the two systems handle permissions very differently. One could also argue that because the userbase for MS OSs is very large (with a generally ignorant population) which makes them easier to take advantage of. It can also be said that the codebase of MS products (ALL software) is large enough to where it is difficult to evaluate the code properly. Also, OSS has a VERY large pool of people that can peer review *nix code...any issues are usually discovered and fixed quickly (and with the least amount of red tape).

But here's something I just HAVE to share:

There IS malware that will attack *nix machines. Remember back in the day when someone released CodeRed and Nimda (Windows-based attacks that took advantage of holes within applications...Win32 software but an example that this type of attack, in concept, will work on a Linux install)? That's a ways back, but not every attack will be kernel related. How about Lupper? OpenSSL worms? How about PHP-based attacks in general. A lot of these are automated (scripted). Although some of these examples of malware take advantage of misconfigurations, they are considered malware nonetheless. Look at the history of this forum and you can see a LOT of examples of *nix-based machines getting utterly compromised. Anything installed on a hard disk that is software may contain bugs. Simple buffer overflows can sometimes escalate privileges...its not as simple as saying that Linux is invulnerable or less of a target. The only reason people think Linux is less exposed is because MS is scrutinized more, they're well-known (my mom doesn't know WTF Linux is but she definitely knows what "Windows" is), and because MS has a majority of the market share, its almost too easy to target the company. If I had a fishing net and saw a large school of fish in a lake, my chance of catching dinner would be far greater than honing in on the one fish at the edge of the lake.

Just my thoughts...

check for rootkits
 

While the discussion by friends here seems complete (about taking care of permissions and so on) to reduce the risk of viruses, I also recommend you two open source tools:

1.chkrootkit available at: http://www.chkrootkit.org/
which is a shell script to detect known rootkits.

2. OSSEC available at: http://www.ossec.net/ which is a Host-Based IPS/Integrity Checker if you need extra control over your system security.

Regards.