LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-26-2003, 09:27 PM   #1
linuxgamer
Member
 
Registered: Sep 2003
Distribution: SuSE, Linspire, Fedora, RH Enterprise
Posts: 89

Rep: Reputation: 15
Trojans or backdoors?


Lets say I install an unknown malicious script
or installation file.

Is there any programs that I can install that will help
me to detect outbound Trojans or backdoors?

Is there any programs that read “program” is accessing
“xx” ports to IP’s (x.x.x.x)
 
Old 11-26-2003, 09:33 PM   #2
Demonbane
LQ Guru
 
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
try netstat
 
Old 11-28-2003, 04:11 PM   #3
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
'netstat' and 'netstat -l', to be precise. First one shows you current connections, second one listening services on your machine.
 
Old 11-28-2003, 04:55 PM   #4
mac_phil
Member
 
Registered: Sep 2003
Distribution: Mandrake 10.0
Posts: 200

Rep: Reputation: 30
Tripwire, snort, chkrootkit.
 
Old 11-28-2003, 05:23 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Wrt to the "netstat" thing, also see "lsof -i".

Is there any programs that I can install that will help me to detect outbound Trojans or backdoors?
This question is a bit harder to answer, so bare with me for a minute. It's harder, but not impossible, because you need to match network traffic or sockets to running applications and their fingerprint. For instance Chkrootkit uses a static list of ports to match against netstat output. Changing the port and recompiling and intercepting system calls are just two ways to thwart detection, and because Chkrootkit won't check the integrity of any running binary and match it against a "known good" list, running a perfectly sane application on a known trojan port, say TCP/5002 (Linux Rootkit 4) will trip the alarms as well. For matching in/outbound network traffic too "suspect behaviour" you will need the capability to sift tru traffic looking for signs. Best example of course is Snort. You could suggest Netfilter/Iptables also got string match support etc etc, but it's most likely those features are still experimental and besides Snort is built for that task. There's two main problems with this. One, like Chkrootkit, Snort is as good as its signature set. Second, if there's no traffic, there's nothing to match, even if a rootshell is offered. There's been some threads on LQ about "ZoneAlarm for Linux" (search LQ, they're a good read), but nothing resulted in anyone building one. So, how to shield against and detect trojans or rootshells?

Secure, harden. Take away possibilities for compromise:
Never install and run what you don't need NOW, especially network applications and applications that are exposed to (un/less controllable) (public) access. Harden. For the applications you need to run, limit or restrict access to specific accounts, IP addresses or ranges, remove script leftovers from a default install, use Tcp wrappers (/etc/hosts.{deny,allow}) and the firewall to regulate access. Remove options for anonymous access and use chroots where possible. Use a hardening kit if possible, like Bastille-Linux, SASTK or MSEC. if you're using ext2/3, set the immutable bit on crucial system binaries and configs. Mount partitions with restrictive mountflags. Remove module loading capabilities using Lcap. Use LIDS or Grsecurity to restrict access applications have to the system.

Log, audit:
Make extensive use of application and syslog logging. Check your logs regularly. Regularly run an integrity scanner like Aide, Samhain or tripwire (or Osiris, Integrit, Viper etc etc). Most likely they will find "rogue" files on the system that are an indication of unwanted activity. Regularly run specific O.S. checkers like Tiger and Chkrootkit. Log in and outbound traffic on the firewall. Deploy an IDS.

Restrict more:
Key is, all applications are run under a user account be it, root, lesser-privileged ones or unprivileged ones. The Grsecurity(.net) kernel patch gives you (amongst many other things) a means to deny a user or group access to network client, server or all sockets.

...and more:
Enter Systrace and Syscalltrack. Systrace being the more actively and prominently developed one, both give you the ability to detect application system call usage and bind actions to it. Systrace also has a GTK admin alert utility, and in that respect it's the only piece of SW I've seen that remotely resembles ZoneAlarm like features (if you can compare them, that is).



So, is it hard to protect and detect Trojans or backdoors? No, but it takes time reading, compiling, configuring, testing and more configuring. Is it worth it? That depends on how much you value the time you already invested in setting up your box, configuring and trusting it with yours and other ppls data.
 
Old 12-02-2003, 03:01 AM   #6
linuxgamer
Member
 
Registered: Sep 2003
Distribution: SuSE, Linspire, Fedora, RH Enterprise
Posts: 89

Original Poster
Rep: Reputation: 15
I am such a newbie, Zone Alarm for Linux would be nice. :P
 
Old 01-04-2004, 02:06 AM   #7
AceTech747
Member
 
Registered: Nov 2003
Distribution: RH 9.0
Posts: 144

Rep: Reputation: 15
I am new to linux too. I have found firestarter to be similar to Zone Alarm. FireStarter builds your firewall as people try and hit your computer. Actually I am not really familiar with it all. I am not sure if there is a better program for this. If someone wants to implement on this please do so cause I would like to learn more on the subject too. One diference between the Firestarter and Zone Alarm is that the Zone Alarm is more program orientated and the Firestarter is more IP and Port orientated.
 
Old 01-04-2004, 09:42 PM   #8
philb2k
LQ Newbie
 
Registered: May 2003
Posts: 10

Rep: Reputation: 0
Having just installed Mandrake 9.2, I found and am using Guarddog which equates the ports to applications installed on the machine. (I've just come from the Windows / Zonealarm world too!)

regards,

Phil
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BackDoors xowl Linux - Security 2 09-27-2005 04:16 PM
Spyware/Trojans/Adware PionexUser Linux - Newbie 9 07-21-2003 04:57 AM
get rid of trojans after being hacked? frasier642 Linux - Security 4 07-06-2003 03:12 PM
Current List of Port Trojans robeb Linux - Security 1 02-14-2003 06:27 AM
Open source, trojans, other thoughts Pres Linux - Security 4 11-03-2002 01:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration