Mandriva 2007.0 on x86_64.
I recently recovered from a rootkit attack (at least I think that's
what it was), and I'm now completely paranoid about securing my computer. Quite frankly, I'm not even sure that I've actually
recovered from that. I reinstalled the OS, and reformatted all
partitions except the /home partition. I've been trying to
determine if I made a mistake by not formatting that as well.

I was looking at the System Services menu in Configure your
Computer. I have the services iptables, snortd, and shorewall
all checked to startup at boot. Only shorewall is shown to
be running in the System Services menu.

However, when I look at running processes (ps aux and Systen Guard)
snort is running, but there is nothing that looks like a
shorewall process. I'm very concerned about this. How else
can I determine if it is actually running? Is it running?
Thanks.
Ferrel

I have not used shorewall, but from its website:

So it sounds like it would arrange for the setup of the firewall rules (probably at boot time), but there would be no ongoing process for you to observe with ps. The firewall is part of the kernel. You can use iptables to see what firewall rules are in place (and make sure they are there!):

The above commands need to be run as root. Unless you are doing something fancy, the tables for the last two rules will probably be empty; the real filtering work is in the tables the first command looks at. You may need to pipe the output into a pager such as less. I have shown the commands the way I usually use them with verbose (-v) and numerical output (-n), which suppresses reverse DNS lookups.

I think blackhole54 is right -- I just ran on my firewall, then I searched both for "netf" (netfilter) & "ipt" (iptables) -- nada. So I agree, the easiest way to see what Shorewall has done is to list your rules. If you use less, I would recommend adding the "-S" option to unwrap long lines (the hor. arrow keys then scroll also). or if you want to get fancy:
Note: I copied & pasted both blocks into my firewall & they worked as is.

Run:

service shorewall checkconfig to look for errors.

Take a look at your /etc/shorewall/ files and see if all is configured correctly.

I would suggest you double-check your system. The only time I had a break-in was through an enduser's account. The outside bad guy tried to install a rootkit under the enduser's credintials, which really hosed up the system. The files I found were mostly located inside the /home/enduser's directory.

Are you running rkhunter?

Deion "Mule" Christopher

Thanks very much! I ran these commands and the
firewall is running.
I have snort and clamd running, although the clamd
is out of date, apparently. It is when I was trying
to interpret snort output that I became worried if
shorewall was even running or not.
If I install RKHunter now, will it still detect a
root kit if my system is compromised? I'm going
to try it now.
I can see that I've not taken security issues
seriously enough.
Thanks!
Ferrel

I just installed rkhunter and ran a scan!
It was very easy (quite unexpected). There
were No Vulnerabilities reported.

There was one interesting log entry:

[16:24:13] Info: kernel is 2.6
[16:24:13] Info: Found /etc/mandrake-release
[16:24:13] Warning: This operating system is not fully supported!
[16:24:13] All MD5 checks will be skipped!
[16:24:13] Info: Full OS name = Mandriva Linux release 2007.0 (Official) for x86
_64

What is the nature of this entry?

Also, in the scan output, I saw mention of the
word adore but not an actual entry for adore-ng.
Does rkhunter scan for adore-ng?

Thanks for the help.
Ferrel

Disclaimer: I have not run RKHunter either. (I am somewhat familiar with chkrootkit)

One thing you should be aware of when using any tool that checks for rootkits is that you cannot trust the standard commands (ls, ps, netstat, etc) on a potentially compromised system because the rootkit may have replaced these commands with something that hides the rootkit's presence. This, of course, makes looking for rootkits quite tricky. That doesn't mean running a rootkit checker on a normal running system is totally pointless -- it still may find something. It just means that you can't trust a report of a clean bill of health. If the system is already down, you can use a live CD to use guaranteed good binaries (although you lose the ability to check running processes). I'll leave it to others more knowledgable to go into details on other ways of handling this. I just wanted to alert you to the problem.

I use rkhunter here because I believe it does an excellent job. I use the following commands in a cron.daily script The first command checks that the current version is installed
The second command checks that six databases are up to date.
The third command scans my system and creates a log file which I check regularly. To see what switches are available use You report the following error: It means the os.dat file contains no information for your distribution release. You can update os.dat for your system by running the following command as root: rkhunter is only one of several layers in your systems security. I also use tripwire (an intrusion detection software). Mandriva comes with msec (a security configuration utility) which allows to configure many security settings by choosing a security level and an interactive firewall. Finally, a good back up routine will go a long way to reduce your losses in the event of tragedy. I keep an initial image set here. I create a new image set monthly, and run an automated daily incremental back up to catch changed files between monthly imaging sessions. Your needs may differ from mine, so arange your back up routine to meet your needs.

HTH,