LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-30-2017, 05:54 AM   #1
suvendu nayak
LQ Newbie
 
Registered: Jul 2017
Posts: 1

Rep: Reputation: Disabled
security


How to Check for Rootkit Infections?
 
Old 08-30-2017, 06:10 AM   #2
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth, unfortunately...
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,869

Rep: Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049Reputation: 2049
Quote:
Originally Posted by suvendu nayak View Post
How to Check for Rootkit Infections?
Install rkhunter.
 
Old 08-30-2017, 07:43 AM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,806

Rep: Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973Reputation: 6973
Quote:
Originally Posted by suvendu nayak View Post
How to Check for Rootkit Infections?
Read the "Question Guidelines" link in my posting signature. We're happy to help you with specific problems/questions, but you need to do basic research first. Putting your exact post into Google will give you many answers.

If you have trouble installing/using any of those tools, THEN it is time to post a question. But just asking us to look things up for you is fairly rude.
 
Old 08-30-2017, 08:49 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,139
Blog Entries: 4

Rep: Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227
But also: there is no such thing as an "infection." A computer is not a biologic organism. You can catch a cold by walking into the wrong elevator. Malware is an act of human malice ... augmented by owner carelessness.

To manage to install a root-kit, someone previously compromised your machine completely, and this possibility is very easily avoided. For instance: don't expose ssh directly to the outside world at all! Use OpenVPN with tls-auth and one-of-a-kind digital certificates, and marauders who are searching for "open ports," or for OpenVPN instances, will find ... nothing. Your authorized users will pass easily through the tunnel – and you will know every one of them by name – while no one else can discover it. Only users who have passed through the tunnel will be able to reach ssh or anything else.

Last edited by sundialsvcs; 08-30-2017 at 08:51 AM.
 
Old 11-09-2017, 04:48 AM   #5
aidylewis
LQ Newbie
 
Registered: Apr 2016
Posts: 25

Rep: Reputation: Disabled
I installed rkhunter 1.4.4 which looks like it searches for specific rootkits. I then installed the Reptile rootkit which wasn't picked up.
https://github.com/f0rb1dd3n/Reptile
 
1 members found this post helpful.
Old 11-09-2017, 07:51 AM   #6
Aeterna
Member
 
Registered: Aug 2017
Location: Terra Mater
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 456

Rep: Reputation: Disabled
Quote:
Originally Posted by suvendu nayak View Post
How to Check for Rootkit Infections?
a lot of tools that require a lot of reading
AIDE, Lynis, AFICK, Samhain, Tiger, ..

Quote:
Originally Posted by sundialsvcs View Post
But also: there is no such thing as an "infection." A computer is not a biologic organism. You can catch a cold by walking into the wrong elevator. Malware is an act of human malice ... augmented by owner carelessness.

To manage to install a root-kit, someone previously compromised your machine completely, and this possibility is very easily avoided. For instance: don't expose ssh directly to the outside world at all! Use OpenVPN with tls-auth and one-of-a-kind digital certificates, and marauders who are searching for "open ports," or for OpenVPN instances, will find ... nothing. Your authorized users will pass easily through the tunnel – and you will know every one of them by name – while no one else can discover it. Only users who have passed through the tunnel will be able to reach ssh or anything else.
no need to correct merriam;
infecting of a computer virus :to become transmitted and copied to (a device, such as a computer)
https://www.merriam-webster.com/dictionary/infecting
 
Old 11-09-2017, 08:26 AM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,139
Blog Entries: 4

Rep: Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227
Quote:
Originally Posted by Aeterna;5778677no need to correct merriam;
infecting of a computer virus :to become transmitted and copied to (a device, such as a computer)
[url
https://www.merriam-webster.com/dictionary/infecting[/url]
Although this has become "idiomatic enough to appear in the dictionary," the term is still fundamentally incorrect when applied to computers.

If you walk into the wrong elevator, after somebody sneezed, you could "catch" a cold or the flu. The RNA sequences in a biological virus are capable of trying to, on their own, replicate themselves into your own cell's DNA in order to transform them into virus-factories that subsequently make you sick until your immune system fights them off (or, until you die).

Rogue software, on its own, is quite incapable of this: it must first be executed, and then, once executing, it must find itself capable of doing its dirty deed. Total penetration of the boot sequence, such as to install root-level malware, requires that the user in whose name the code is executing has such privileges ... and, today, that mechanisms which (for this reason among others) now limit the once-unfettered prerogatives of "root" are not in place.

Thus, even if software that's designed to install a root-kit is "transmitted and copied to" your computer, it will simply sit there like any other file. If it is executed, and if you are at all paying attention, its attempted system-calls, without which it can do nothing, will simply fail with -EINVAL.

Yes, you do need to pay close attention to security. (For instance, "run strong ad-blockers!") But you should not be lured into thinking that malicious computer software is anything more than an opportunist. It won't – it can't – automatically appear on your computer due to the digital equivalent of walking into the wrong elevator.
 
Old 11-09-2017, 12:54 PM   #8
Aeterna
Member
 
Registered: Aug 2017
Location: Terra Mater
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 456

Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
Although this has become "idiomatic enough to appear in the dictionary," the term is still fundamentally incorrect when applied to computers.

If you walk into the wrong elevator, after somebody sneezed, you could "catch" a cold or the flu. The RNA sequences in a biological virus are capable of trying to, on their own, replicate themselves into your own cell's DNA in order to transform them into virus-factories that subsequently make you sick until your immune system fights them off (or, until you die).

Rogue software, on its own, is quite incapable of this: it must first be executed, and then, once executing, it must find itself capable of doing its dirty deed. Total penetration of the boot sequence, such as to install root-level malware, requires that the user in whose name the code is executing has such privileges ... and, today, that mechanisms which (for this reason among others) now limit the once-unfettered prerogatives of "root" are not in place.

Thus, even if software that's designed to install a root-kit is "transmitted and copied to" your computer, it will simply sit there like any other file. If it is executed, and if you are at all paying attention, its attempted system-calls, without which it can do nothing, will simply fail with -EINVAL.

Yes, you do need to pay close attention to security. (For instance, "run strong ad-blockers!") But you should not be lured into thinking that malicious computer software is anything more than an opportunist. It won't – it can't – automatically appear on your computer due to the digital equivalent of walking into the wrong elevator.
o.k.
lets play:

two points -
1) word ethymology
2) virus

ad 1)
the weakness of your fundamental argument lies in the fact that you just arbitrary assume specific meaning of the word (here: infection), not to mention that words tend to evolve to the point that they may acquire opposite meaning to the original one or encompass wider area of meaning. Plenty of examples.
So to make it short: unless you will find good reference that rejects computer infection and limits infection to living organisms only, Webster-Merriam is better reference.

ad 2)
I am not sure where viruses came from but this is funny example: viruses are not recognized as living organisms. In fact one can regard virus molecule as set of programs that require host machinery to propagate in the similar way as computer viruses.

I am generating viruses to re-program cells routinely. Just put together few pieces of DNA, transfect cells and induce virus formation. Pretty simple.

So virus is biological "rouge software" that can hijack host machinery and re-program to produce new virions and send message to next cell/host. Virus must be "executed" to spread and do harm, otherwise you would have so called carriers - plenty of examples - where virus can do nothing, will not propagate.

To summarize: computer infection is correct statement and there references for this (not arbitrary statement).
Your virus example is in fact opposite argument to what you wish to make it.

Last edited by Aeterna; 11-09-2017 at 01:03 PM.
 
Old 11-09-2017, 01:18 PM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,139
Blog Entries: 4

Rep: Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227Reputation: 3227
... very interesting ... but entirely (first ...) "etymological," (then ...) "biological."

Absolutely none of which has the slightest relevance to digital hardware and software.

If my biological body inhales a biological virus, and does not fight it off, then I'm in trouble.

If my digital computer is exposed to a digital program, that digital program will ... if it manages to be executed at all ... do nothing more than attempt to do its dirty-work under whatever software privilege-levels it can manage to obtain.

However, here is the key difference:
  • A biological entity can initiate the nefarious process itself, thereby assuring its success unless(!) the immune-system actively neutralizes it.
  • A digital entity, "nefarious" or not, must somehow be acted upon executed, and then, once it finds itself running as a process upon the target computer, must somehow be privileged(!) to do its dirty work.

Any digital file which "somehow happens to wander its way onto your computer" is in fact a very long way from actually doing damage ... unless it has exploited a back-door in some third-party piece of software that you adopted for your convenience.

For instance, I once had a server become "quite-thoroughly compromised" only because I was lazy: the server came "by easy default" in a configuration that was managed by Plesk, and, (fool that I was at the time ...) I felt time-pressured to neglect to use my good judgment. I wasn't paying attention. The attackers obviously did their dirty work by exploiting a hole in the Plesk configuration, about which of course I had no control. Their attack was obviously automated since it occurred within 48 hours of the server's deployment. "I never made that mistake again," and thereafter the "completely wiped-clean and Plesk-free" machine never presented any further problems.

Last edited by sundialsvcs; 11-09-2017 at 01:21 PM.
 
Old 11-09-2017, 03:32 PM   #10
Aeterna
Member
 
Registered: Aug 2017
Location: Terra Mater
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 456

Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
... very interesting ... but entirely (first ...) "etymological," (then ...) "biological."

Absolutely none of which has the slightest relevance to digital hardware and software.

If my biological body inhales a biological virus, and does not fight it off, then I'm in trouble.

If my digital computer is exposed to a digital program, that digital program will ... if it manages to be executed at all ... do nothing more than attempt to do its dirty-work under whatever software privilege-levels it can manage to obtain.

However, here is the key difference:
  • A biological entity can initiate the nefarious process itself, thereby assuring its success unless(!) the immune-system actively neutralizes it.
  • A digital entity, "nefarious" or not, must somehow be acted upon executed, and then, once it finds itself running as a process upon the target computer, must somehow be privileged(!) to do its dirty work.

Any digital file which "somehow happens to wander its way onto your computer" is in fact a very long way from actually doing damage ... unless it has exploited a back-door in some third-party piece of software that you adopted for your convenience.

For instance, I once had a server become "quite-thoroughly compromised" only because I was lazy: the server came "by easy default" in a configuration that was managed by Plesk, and, (fool that I was at the time ...) I felt time-pressured to neglect to use my good judgment. I wasn't paying attention. The attackers obviously did their dirty work by exploiting a hole in the Plesk configuration, about which of course I had no control. Their attack was obviously automated since it occurred within 48 hours of the server's deployment. "I never made that mistake again," and thereafter the "completely wiped-clean and Plesk-free" machine never presented any further problems.
It has nothing to do with computer infection - whether you like it or not this is official definition that is merriam-webster

Digital information can be incorporated in DNA. Then you have another problem not being able to see a difference between information medium and information.
You can write as many sentences as you like, as long as you do not provide specific reference this is going nowhere and your point of view is just that.
I would suggest to forget about viruses. This is just not the example. This is not a place for lectures about viral mechanisms.
One more example - people are not dying because HIV kills, people are dying because they are compromised = and other pathogens ( quite often not dangerous in non compromised organisms) spread.

Quote:
If my digital computer is exposed to a digital program, that digital program will ... if it manages to be executed at all ... do nothing more than attempt to do its dirty-work under whatever software privilege-levels it can manage to obtain.
Information is information nothing else. You are mixing information information source and information medium.

Just forget about viruses and infection. Both your definitions are wrong and OP was correct in using infection word as in first post (plenty of similar uses on this forum).

Last edited by Aeterna; 11-09-2017 at 03:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: GCHQ grants security clearance to Samsung's Knox mobe security LXer Syndicated Linux News 0 05-17-2014 03:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration