Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 11-26-2003, 10:27 PM   #1
Registered: Sep 2003
Distribution: SuSE, Linspire, Fedora, RH Enterprise
Posts: 89

Rep: Reputation: 15
Trojans or backdoors?

Lets say I install an unknown malicious script
or installation file.

Is there any programs that I can install that will help
me to detect outbound Trojans or backdoors?

Is there any programs that read “program” is accessing
“xx” ports to IP’s (x.x.x.x)
Old 11-26-2003, 10:33 PM   #2
LQ Guru
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
try netstat
Old 11-28-2003, 05:11 PM   #3
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,683

Rep: Reputation: 219Reputation: 219Reputation: 219
'netstat' and 'netstat -l', to be precise. First one shows you current connections, second one listening services on your machine.
Old 11-28-2003, 05:55 PM   #4
Registered: Sep 2003
Distribution: Mandrake 10.0
Posts: 200

Rep: Reputation: 30
Tripwire, snort, chkrootkit.
Old 11-28-2003, 06:23 PM   #5
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Wrt to the "netstat" thing, also see "lsof -i".

Is there any programs that I can install that will help me to detect outbound Trojans or backdoors?
This question is a bit harder to answer, so bare with me for a minute. It's harder, but not impossible, because you need to match network traffic or sockets to running applications and their fingerprint. For instance Chkrootkit uses a static list of ports to match against netstat output. Changing the port and recompiling and intercepting system calls are just two ways to thwart detection, and because Chkrootkit won't check the integrity of any running binary and match it against a "known good" list, running a perfectly sane application on a known trojan port, say TCP/5002 (Linux Rootkit 4) will trip the alarms as well. For matching in/outbound network traffic too "suspect behaviour" you will need the capability to sift tru traffic looking for signs. Best example of course is Snort. You could suggest Netfilter/Iptables also got string match support etc etc, but it's most likely those features are still experimental and besides Snort is built for that task. There's two main problems with this. One, like Chkrootkit, Snort is as good as its signature set. Second, if there's no traffic, there's nothing to match, even if a rootshell is offered. There's been some threads on LQ about "ZoneAlarm for Linux" (search LQ, they're a good read), but nothing resulted in anyone building one. So, how to shield against and detect trojans or rootshells?

Secure, harden. Take away possibilities for compromise:
Never install and run what you don't need NOW, especially network applications and applications that are exposed to (un/less controllable) (public) access. Harden. For the applications you need to run, limit or restrict access to specific accounts, IP addresses or ranges, remove script leftovers from a default install, use Tcp wrappers (/etc/hosts.{deny,allow}) and the firewall to regulate access. Remove options for anonymous access and use chroots where possible. Use a hardening kit if possible, like Bastille-Linux, SASTK or MSEC. if you're using ext2/3, set the immutable bit on crucial system binaries and configs. Mount partitions with restrictive mountflags. Remove module loading capabilities using Lcap. Use LIDS or Grsecurity to restrict access applications have to the system.

Log, audit:
Make extensive use of application and syslog logging. Check your logs regularly. Regularly run an integrity scanner like Aide, Samhain or tripwire (or Osiris, Integrit, Viper etc etc). Most likely they will find "rogue" files on the system that are an indication of unwanted activity. Regularly run specific O.S. checkers like Tiger and Chkrootkit. Log in and outbound traffic on the firewall. Deploy an IDS.

Restrict more:
Key is, all applications are run under a user account be it, root, lesser-privileged ones or unprivileged ones. The Grsecurity(.net) kernel patch gives you (amongst many other things) a means to deny a user or group access to network client, server or all sockets.

...and more:
Enter Systrace and Syscalltrack. Systrace being the more actively and prominently developed one, both give you the ability to detect application system call usage and bind actions to it. Systrace also has a GTK admin alert utility, and in that respect it's the only piece of SW I've seen that remotely resembles ZoneAlarm like features (if you can compare them, that is).

So, is it hard to protect and detect Trojans or backdoors? No, but it takes time reading, compiling, configuring, testing and more configuring. Is it worth it? That depends on how much you value the time you already invested in setting up your box, configuring and trusting it with yours and other ppls data.
Old 12-02-2003, 04:01 AM   #6
Registered: Sep 2003
Distribution: SuSE, Linspire, Fedora, RH Enterprise
Posts: 89

Original Poster
Rep: Reputation: 15
I am such a newbie, Zone Alarm for Linux would be nice. :P
Old 01-04-2004, 03:06 AM   #7
Registered: Nov 2003
Distribution: RH 9.0
Posts: 144

Rep: Reputation: 15
I am new to linux too. I have found firestarter to be similar to Zone Alarm. FireStarter builds your firewall as people try and hit your computer. Actually I am not really familiar with it all. I am not sure if there is a better program for this. If someone wants to implement on this please do so cause I would like to learn more on the subject too. One diference between the Firestarter and Zone Alarm is that the Zone Alarm is more program orientated and the Firestarter is more IP and Port orientated.
Old 01-04-2004, 10:42 PM   #8
LQ Newbie
Registered: May 2003
Posts: 10

Rep: Reputation: 0
Having just installed Mandrake 9.2, I found and am using Guarddog which equates the ports to applications installed on the machine. (I've just come from the Windows / Zonealarm world too!)




Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
BackDoors xowl Linux - Security 2 09-27-2005 05:16 PM
Spyware/Trojans/Adware PionexUser Linux - Newbie 9 07-21-2003 05:57 AM
get rid of trojans after being hacked? frasier642 Linux - Security 4 07-06-2003 04:12 PM
Current List of Port Trojans robeb Linux - Security 1 02-14-2003 07:27 AM
Open source, trojans, other thoughts Pres Linux - Security 4 11-03-2002 02:03 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:31 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration