Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
Unfortunately someone left VM exposed to the internet with easy to guess ssh root password, and rootkit Linux/XOR.DDoS has been installed. I know, when attacker gained access to the server and what aws his IP address, but I'd like to know when rootkit has been installed. Is it possible?
Have a read of this - https://bartblaze.blogspot.co.uk/201...uxxorddos.html - and determine the files that the rootkit creates. Have a look for these and, unless the rootkit faked the dates or has touched them since, you should be able to see the date that it started its active infiltration.
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
While I don't know if this particular rootkit will be picked up by the following command, it's a good command to have installed to check for rootkit's with. You will more likely than not need to install it, as it is not normally installed by default in most Linux distro's.
rkhunter after the fact? Dunno, as it would require a --propupd before it is effective?
In addition to checking the status of files after running --propupd, rkhunter does a check of known and possible rootkit files and directories, malware checks, and in this case FreeBSD specific checks, as well as network ports if you enable nmap support.
Code:
Rootkit checks...
Rootkits checked : 477
Possible rootkits: 0
OpenBSD considers rkhunter a "gimmic" and it isn't even in their repository.
Most-importantly, "see to it that rootkits can't be installed in the first place."
Practice the "principle of least privilege." Jealously guard all user-ids which are capable of attaining root privileges and do not use these accounts ... nearly all of the time. No one can "just stumble-upon your system" and "decide to install a rootkit on it."
Most-importantly, "see to it that rootkits can't be installed in the first place."
... No one can "just stumble-upon your system" and "decide to install a rootkit on it."
While the first part of your comment is right on, the last part is most certainly not true. I stumble upon systems with full access on the open internet all the time. of course, i don't go around installing root kits, but i could if i wanted to.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.