LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Articles > Jeremy's Magazine Articles
User Name
Password

Notices


By jeremy at 2004-07-03 13:42
TECH SUPPORT
Finding Rootkits, Infections, and Files
by Jeremy Garcia

Last month's "Tech Support" showed you how to monitor filesystem changes with Tripwire, a handy system utility that alerts you to all filesystem changes. Like SNORT and others, Tripwire's just one of many practical security measures that minds your system 24/7.

Another sentry tool is chkrootkit, a free utility that can detect rootkits, loadable kernel modules, worms, and other nefarious cracker tools. (A rootkit is a collection of tools used to mask intrusion, obtain administrator-level access and, install a backdoor on a target computer. A loadable kernel module, or LKM, is a piece of code that's loaded directly into the Linux kernel.) chkrootkit uses digital signatures to detect over fifty known rootkits and LKMs. It also uses some simple heuristics -- looking for hidden processes, hidden directories, and a few other simple checks -- to attempt to detect unknown kits.

chkrootkit is maintained by Nelson Murilo and is available from http://www.chkrootkit.org. After downloading the latest version of chkrootkit, verify the MD5 checksum, and unpack the tarball. Then type make sense in the build directory. After the build's complete, run the program by typing ./chkrootkit. You'll have to be root to run the chkrootkit tools.

By default, chkrootkit is quite verbose. You can use the -q flag to only output messages that indicate an "infection." Another useful flag is -p, which allows you to specify a path to the supplemental, external programs that chkrootkit uses. Running the external commands from a read-only media ensures that chkrootkit itself hasn't been tampered with.

Once you have everything working to your liking, run chkrootkit via cron using a command similar to...

Code:
0 3 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)
Like any security program, the output of chkrootkit needs to be examined and interpreted to be useful. For example, chkrootkit may give output such as INFECTED (PORTS: 1999). While this may be a result of the Transcout backdoor, it may just be that a program that uses random ports greater than port 1023 is using the port.

Always a Good find

A few months back, "Tech Support" presented slocate as a replacement for the brute-force find /

by deloptes on Sun, 2004-07-04 05:24
The offer for discussion seams interesting to me, as I support few servers in my town - all of them using debian.

One of those machines is set up with knoppix 3.2 from which I removed a lot of stuff that was not needed, so afterwards few months later I ran chkrootkit on it and it says there is probably LKM attack as 4 Processes are hidden from the ps command.

And really when I ps -A I don't see process numbers
1 ? 00:00:10 init
2 ? 00:00:00 keventd
0 ? 00:00:00 ksoftirqd_CPU0
0 ? 00:00:00 kswapd
0 ? 00:00:00 bdflush
0 ? 00:00:01 kupdated

I read about this, that it should be a problem with multithereading on debian in some cases, but honestly I haven't had this problem on other debian system.

I suppose it has to do something with knoppix but I don't have a machine like this.

After I spent hours of checking logs and so, I concluded that there isn't anything wrong

What is your oppinion?

Are you aware of security issues with knoppix

Thanks

by jeremy on Sun, 2004-07-04 11:14
from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222179

Quote:
That's a bug in chkrootkit. With the latest glibc and 2.6 kernel, the
threading model has changed. Threads no longer show up as individual
processes. Chkrootkit should be updated to work with the latest glibc
and 2.6 kernel (i.e. it should check /proc/<pid>/task too)
I don't see a fix posted there though. What version of chkrootkit are you running?

--jeremy

by deloptes on Mon, 2004-07-05 01:35
thanks jeremy
I see, but I am using the 2.4.22-xfs kernel on this machine that comes with knoppix

by unSpawn on Mon, 2004-07-05 19:00
Even tho I think this is somewhat OT, 0.44-beta is just around the corner.
If all is well it will feature an improved threading aware chkproc.


  



All times are GMT -5. The time now is 04:52 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration