LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-25-2004, 06:59 PM   #1
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
Question Possible rootkit, any readonly way to run check?


Hello all.
I think I may have had one of my systems compromised by a rootkit of some sort. I have ran chkroot several times and it has came up with nothing. Also my tripwire has taken a walk off the map. I can not get it to run. That was the first clue that I may have a problem. Since my system maybe compromised, there is no real way for me to tell using netstat, or top, or anything else for that matter. Is there a bootable linux distro that has any antirootkit software on it? I have heard of knoppix-std, but I looked on their site and they only have tools for forensics and firewalls. I didnt see any tools to check for rootkits. Also does anyone know of any rootkits that would try to trojan chkroot? I guess in essence it would be an anti- antirootkit kit.. lol! Oh and one more thing, are there any other rootkit checkers that may work better than chkroot, or maybe even fit on a bootable floppy? Any help or suggestions would be great! Thanks!
 
Old 10-25-2004, 08:28 PM   #2
qwijibow
LQ Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
Quote:
I looked on their site and they only have tools for forensics and firewalls.
yeah.... root kit checkers are classified at forensic tools.

knoppix has chkrootkit.
 
Old 10-25-2004, 08:34 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Take a look at Knoppix-STD and F.I.R.E. as well.
 
Old 10-26-2004, 02:21 AM   #4
jev-bird
Member
 
Registered: Jul 2004
Location: USofA
Distribution: Whatever runs accordingly.
Posts: 200

Rep: Reputation: 30
It's very common to do something on a Linux box that maybe you don't remember doing and latter down the line it breaks your system or something of that nature. The first thing that comes to mine is OMG I just been owned! Sometimes that's rarely the case. So unless your for sure maybe try backtracing and see what you have done. Take a look in your .bash_history if you have it and see what commands root has entered from the terminal previously in regard to the issues your having, in your case anything pertaining to the configuration or alteration of tripwire.
 
Old 10-27-2004, 02:48 AM   #5
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Original Poster
Rep: Reputation: 52
Thanks for the help

Hey Thanks alot you guys. Im still working on it. I looked in my history and it looks okay. I cant really recall doing anything to my tripwire. I think I may have screwed it up when I was messing with my init scripts...Anyway knoppix-std and FIRE are great! Man I dont think Im gonna use anything else. I mean its a read-only file system, I dont have to worry about getting owned, all I have to do is reboot! LOL! Of course Im sure I will burn up my cdrom soon.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
check.sh wont run Newbux Linux - Newbie 3 05-26-2005 03:24 AM
rootkit? linuxtesting2 Linux - Security 3 12-06-2004 09:43 AM
Can't run check-updates.pl for F-PROT azebuski Linux - Security 1 11-08-2004 05:02 PM
check and run ktk *BSD 3 06-27-2004 05:52 PM
Unable to run /usr/sbin/pppd. --> Check permissions [solved] flosch Linux - Networking 0 05-05-2004 10:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration