LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-03-2006, 05:06 AM   #1
ic_torres
Member
 
Registered: Nov 2005
Location: ABAP
Distribution: slackware 12.0, Vector Linux STD 6.0 and 5.8, ZenWalk 4.6.1, OpenBSD 3.9
Posts: 389

Rep: Reputation: 34
detecting a trojan attack : HELP


guys just want to ask, i have my clamAV updated always..but how can i assure that there is no threat of trojan in my box? any suggestions?
 
Old 02-03-2006, 05:35 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
install only trusted software...

Last edited by win32sux; 02-03-2006 at 05:38 AM.
 
Old 02-03-2006, 06:03 AM   #3
zaert
LQ Newbie
 
Registered: Jul 2005
Distribution: ubuntu, slackware
Posts: 21

Rep: Reputation: 15
you may check those rootkit checkers:
http://www.rootkit.nl/
http://www.chkrootkit.org/

Last edited by zaert; 02-03-2006 at 06:06 AM.
 
Old 02-03-2006, 06:12 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by zaert
you may check this:
http://www.rootkit.nl/
rootkit hunter is nice, but a rootkit is not the same thing as a trojan...

a rootkit is installed on a box after root privilages have been gained, with the main purpose being to maintain root access using any number of methods...

a trojan is simply an evil piece of software which is disguised as being legit (or inserted within legit software), and the main purpose of the trojan could be any number of things, none of which necessarily have to be root access related...

you won't be using rootkit hunter to check a package to see if it's trojaned...


PS: same applies to chkrootkit...
 
Old 02-03-2006, 06:13 AM   #5
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,501
Blog Entries: 2

Rep: Reputation: 68
Now can be late, but just after a fresh install you can run a software that checks the signatures of critical files. AIDE, Samhain, afik and tripwire are the most known in this class.

They helps you for detect alteration on critical files, both alteration and creation/deletation.

regards,
 
Old 02-03-2006, 07:38 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
how can i assure that there is no threat of trojan in my box?
The first thing is making sure chances of that happening are low or non-existing: this means properly hardening (and continuously upgrading from official sources) the box as a whole during and after installing the OS. Next to that you will have to install tools right after installing the OS that actively (prior to or during attempts) help you detect attempts: IDS like Snort, Prelude and active filesystem integrity checkers like Samhain. Next to that you have to install tools right after installing the OS that passively help you detect attempts and audit the system: Aide, tripwire, any distro package management system that allows verification, Tiger, Logwatch, etc, etc. Provided you continuously monitor and adjust the system where necessary that's a good basis to start on. Wanna learn more? Check out the LQ FAQ: Security references.


* If you don't have the above in place and you still want to be able to verify your system is clean I'd suggest booting a LiveCD like KNOPPIX, use your distro's package management system for verification if you can, then verify your system using Chkrootkit and Rootkit Hunter and finally manually verify anything outside the scope of the previous tools. Granted, that's a PITA, so now you know why you need to implement the stuff above.


// BTW: don't put "help" in your subject, it's annoying since we *know* you need help and we're all here to help anyway...
 
Old 02-03-2006, 07:38 AM   #7
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,501
Blog Entries: 2

Rep: Reputation: 68
I just found a document that can help you in selecting a file checker:
http://la-samhna.de/library/scanners.html
 
Old 02-04-2006, 03:23 PM   #8
ic_torres
Member
 
Registered: Nov 2005
Location: ABAP
Distribution: slackware 12.0, Vector Linux STD 6.0 and 5.8, ZenWalk 4.6.1, OpenBSD 3.9
Posts: 389

Original Poster
Rep: Reputation: 34
Quote:
Originally Posted by win32sux
install only trusted software...

sir i have clamAV and a firewall. . .do you think that its enough?

i found trojan scan in google, and also rootkit as mentioned.. do this stuff can help? thanks.. i really need some background with security at this time .
 
Old 02-06-2006, 09:35 AM   #9
ic_torres
Member
 
Registered: Nov 2005
Location: ABAP
Distribution: slackware 12.0, Vector Linux STD 6.0 and 5.8, ZenWalk 4.6.1, OpenBSD 3.9
Posts: 389

Original Poster
Rep: Reputation: 34
is it still possible to have a trojan attack even if i dont have a network? m just using my box as an ordinary desktop pc..
 
Old 02-06-2006, 01:03 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by ic_torres
sir i have clamAV and a firewall. . .do you think that its enough?
it depends... a lot of linux users don't even have a virus scanner and they still do just fine... and a lot of them have all kinds of scanners and they get owned (cracked) all the time... it's all relative to the activities one carries-out... just having clamav and a firewall is NOT enough - common sense is way more important than both of those put together... security is not a product, it is a process... there's no amount of tools you can download which will make you "secure"...

the most important steps are the basic ones... things like "keep your system patched" and "only install software from trusted sources" and "use common sense" will probably be just as useful as [ insert your favorite security tool here ] most of the time...

Quote:
i found trojan scan in google, and also rootkit as mentioned.. do this stuff can help?
i don't know what a trojan scan is... i assume it's a remote network scan that looks for suspicious open ports and stuff like that... yes, stuff like that is useful, it is - it's just that you don't wanna RELY on stuff like that exclusively... like the rootkit scanners, for example... they are good tools, cuz they might let you know when you've been OWNED, but the ideal thing to do is to take the necessary steps and implement the necessary procedures so as that you don't get the rootkit installed in your system *in the first place*...

a lot of people coming from windows have a hard time with this stuff, cuz they are used to going into all kinds of websites and downloading/installing all kindsa crap from all over the place... then they need all kindsa anti-whatever tools to try and clean-up their mess... a little common sense would have helped them way more than any number of anti-whatever tools... common sense is multi-platform...

Quote:
i really need some background with security at this time
well, this forum is a good place to start, so you already have a foot inside the door...

here's some links relative to the current discussion:

http://en.wikipedia.org/wiki/Trojan_horse_(computing)

http://en.wikipedia.org/wiki/Rootkit

you need to understand what trojans and rootkits are before you defend yourself from them... the same goes for worms and viruses:

http://en.wikipedia.org/wiki/Computer_worm

http://en.wikipedia.org/wiki/Computer_virus

and even spyware, etc: http://en.wikipedia.org/wiki/Spyware

Quote:
is it still possible to have a trojan attack even if i dont have a network? m just using my box as an ordinary desktop pc
look at the difinition for "trojan" at the link above:
Quote:
a Trojan horse is a malicious program that is disguised as legitimate software
there's no need for a network, the program could come on a floppy, a cd-rom, whatever media...

if a stanger walked into your office with a floppy and told you "please replace your iptables binaries with the ones i have on this floppy" would you do it?? no, probably not, because you don't TRUST this person... but if patrick volkerding puts a message out on his website asking you to upgrade your X.org program to the latest version he's uploaded because it fixes a security hole, would you do it?? yes, you probably would, because you trust mr. volkerding and you trust the developers at X.org. and even if you didn't trust mr. volkerding you could just use his build script and download the source directly from X.org and compile it yourself, and even if you are more paranoid you could hand the source over to a software auditing service and pay them to analyze the source code and tell you if there's any backdoors in there before you compile it... etc... etc...

Last edited by win32sux; 02-06-2006 at 03:57 PM.
 
Old 02-06-2006, 03:54 PM   #11
ic_torres
Member
 
Registered: Nov 2005
Location: ABAP
Distribution: slackware 12.0, Vector Linux STD 6.0 and 5.8, ZenWalk 4.6.1, OpenBSD 3.9
Posts: 389

Original Poster
Rep: Reputation: 34
hmm so basically, as what iv read on the site given, i really should download packages from TRUSTED websites and/or the application's website.
 
Old 02-06-2006, 04:08 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by ic_torres
hmm so basically, as what iv read on the site given, i really should download packages from TRUSTED websites and/or the application's website.
yup, that will help you stay trojan-free... but you still need to watch-out for worms and other nasties...
 
Old 02-07-2006, 04:08 AM   #13
ic_torres
Member
 
Registered: Nov 2005
Location: ABAP
Distribution: slackware 12.0, Vector Linux STD 6.0 and 5.8, ZenWalk 4.6.1, OpenBSD 3.9
Posts: 389

Original Poster
Rep: Reputation: 34
hmm now i have the basic idea.. a big THANKS sir..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit and possible trojan Whitestone Linux - Security 2 11-26-2004 06:04 AM
detecting a DOS attack ignus Linux - Security 4 07-29-2004 02:17 PM
LKM trojan? help! synaptical Linux - Security 3 03-07-2004 07:16 AM
lkm trojan nullpt Linux - Security 3 12-26-2003 06:42 PM
Possible Trojan ! FreeFox Linux - General 4 08-03-2003 08:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration