LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-16-2004, 11:58 AM   #1
jimdaworm
Member
 
Registered: Aug 2003
Location: Spain
Distribution: Ubuntu
Posts: 897

Rep: Reputation: 30
How reliable is chkrootkit??


I am just wondering how reliable chkrootkit is?? Like are the chances that if someone has installed rootkit it will find it, or are there ways of tricking chrootkit as well??
 
Old 10-16-2004, 12:49 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
There are ways of tricking just about any rootkit detector/virus scanner/you name it. When code is running as root, there's little it can't do, including injecting modules into the kernel (unless you have kernel module support turned off in your kernel). This means that processes can be totally hidden from user space. Often, though, rootkits simply replace tools like ps and top to hide the attacker's processes. One important tip is to know how to boot to known good read only rescue media and then know how torun rootkit detection tools from there.
 
Old 10-16-2004, 08:01 PM   #3
jimdaworm
Member
 
Registered: Aug 2003
Location: Spain
Distribution: Ubuntu
Posts: 897

Original Poster
Rep: Reputation: 30
Hey btmiller thanks for the info. So your saying the best thing is to have some sort of a live cd that has a chkrootkit that way it canīt be modified/tricket and will find even a really well installed rootkit in the modified file system?
 
Old 10-16-2004, 09:51 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The best advice is probably to not rely on any single method of intrusion detection and security. A multi-layered approach (NIDS/HIDS, file alteration detection, stack/heap protection, general hardening, etc) will often be much more difficult for an attacker to defeat.
 
Old 10-17-2004, 07:24 AM   #5
jimdaworm
Member
 
Registered: Aug 2003
Location: Spain
Distribution: Ubuntu
Posts: 897

Original Poster
Rep: Reputation: 30
Hey Capt_Caveman its interesting stuff I have just been reading the thread by unspawn (in your signature) its a bit overwelming though! I am in the process of sifting my way thought it for a slackware specific guide.

Thanks for the info
 
Old 10-17-2004, 11:48 PM   #6
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
run those integrity checks .. gentoo users can use the qpkg command to check integrity

chkroothit and the such can only find known bad things, rkhunter can also help point out a few weaknesses (like ssh root access) .. but if a file is ever replaced , then theres hiding from the integrity check (unless they are smart, and modify the database/whatnot so that the checksums will match the new "replacement" program
 
Old 10-18-2004, 04:23 AM   #7
jimdaworm
Member
 
Registered: Aug 2003
Location: Spain
Distribution: Ubuntu
Posts: 897

Original Poster
Rep: Reputation: 30
Hi SciYro
I guess the most fool proof system is to use something like tripwire to make MD5īs?? of all the important config files/programs that are likely to be replaced by a rootkit then back it up on a rw cd and boot once a week a read only linux live distribution with tripwire (or similar) and use it to check the / file system.

How complicated I think I will have to give it a go somtime anyway... definitly before I install broadband.

Anyway I am not currently using sshd although I have been thinking about using it and have re-configured it with no root and also so that it doesnīt fall back on the old protocol if there are problems with the new.
 
Old 10-18-2004, 06:51 AM   #8
furfurdemon666
Member
 
Registered: Mar 2004
Posts: 171

Rep: Reputation: 30
I use chkrootkit and rkhunter and find both programs to be very nice and work well. However, I don't use tripwire at the moment, instead I used a tip on a Linux site somewhere to make md5sums of important files with the md5sum program before I connected to the net, and I backed up all md5 sums on another medium. There is a very easy way to setup tripwire with no fuss basically just copy and paste most of the setup, I found a cool article on tripwire on some linuxkungfu site that is cake to setup.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
when I ./chkrootkit it says .... chemichael Fedora 2 08-19-2005 12:48 AM
chkrootkit ? jmanjeff Linux - Security 2 06-01-2005 12:15 AM
chkrootkit-0.45 aaru_ali Mandriva 1 04-25-2005 03:21 AM
How reliable are ........ phatbastard Linux - Security 1 12-13-2004 11:30 PM
is RPM reliable??? luzi82 Linux - General 18 06-25-2003 04:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration