Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here is some info first
Ubuntu Mate 16.04.4 LTS
Reason for my issue, I may have been compromised; my laptop was left unattended while it was on, I also have further suspicions but I won't post them here. Anyway to my rkhunter issue, I grabbed the one newest version from https://sourceforge.net/projects/rkhunter/ and compiled it, I have Rootkit Hunter 1.4.6 withe newest signatures, I also added a few lines in here to help prevent false positives, I read about here https://unix.stackexchange.com/quest...ould-i-do-debi
My /var/log/rkhunter.log was too long to put in here, so I used pastebin instead https://pastebin.com/496KBf2W
Any help is appreciated guys. Shouuld I zero out the drive and reinstall with an encrypted filesystem? Or am I jumping the gun on this one?
Last edited by tuxthegreat; 03-31-2018 at 09:01 PM.
As far as I'm concerned, "rkhunter is pretty-much to be lumped in together with "anti-virus snakeoil."
(Your mileage may vary.™)
If your system actually [i]has[/u] been thoroughly fscked compromised, then such a tool might be effective in bearing you the bad news. But as any sort of pro-active or preventive solution? "Not so much.™"
If your system was, in fact, "hosed," and hosed in some well-known way, then, yeah, these tools can name your poison. But the one thing that these tools cannot answer is the one thing that you really want to know: "AmI poisoned?"
And actually (IMHO) ... "nearly all of the time, the answer is no."
The security of any operating system – Linux or otherwise – is always technically more-than strong enough not to be trifled with. You must achieve a substantial human penetration in order to achieve such a total penetration of the system that you are actually able to reprogram the system's kernel, and then to reboot the hardware with your payload.
The one-and-only system that I ever had anything to do with, which was actually "kitted," was a (hosted, virtual) machine that I hadn't even started to use yet. (The host "conveniently" provided Plesk.) Of course I knew better. Of course I reinstalled the system from a known-good vendor image, before I'd ever actually even started using it, and kissed-goodbye the host's apparently already-compromised "convenience."
Last edited by sundialsvcs; 04-01-2018 at 08:31 PM.
Here is some info first
Ubuntu Mate 16.04.4 LTS
Reason for my issue, I may have been compromised; my laptop was left unattended while it was on, I also have further suspicions but I won't post them here. Anyway to my rkhunter issue, I grabbed the one newest version from https://sourceforge.net/projects/rkhunter/ and compiled it, I have Rootkit Hunter 1.4.6 withe newest signatures, I also added a few lines in here to help prevent false positives, I read about here https://unix.stackexchange.com/quest...ould-i-do-debi
My /var/log/rkhunter.log was too long to put in here, so I used pastebin instead https://pastebin.com/496KBf2W
Any help is appreciated guys. Shouuld I zero out the drive and reinstall with an encrypted filesystem? Or am I jumping the gun on this one?
You don't have to, BUT...after that exercise when you do the exact same thing, get the exact same result?
F that.
Neither of those 2 directives deal with "false positives"
One of them is a Package Manager "option" that performs a
Code:
rkhunter --propupd
after dpkg or apt-get is called. and is only valid IF /etc/default/rkhunter is present, which on "manual installs" does not exist. I did not compile 1.4.4)
The other tells you, the "sysadmin" that something needs to be addressed..."Does this host allow root login?"
and if so, deal with it in /etc/rkhunter.conf.local (props for that btw, all the cool kids use /etc/rkhunter.conf.local)
Use flash drive at least for important (relative to work) stuff. Install your OS there. Or you can carry SSD with you.
If its not work related - nothing to wary about - hacks are common.
You don't have to, BUT...after that exercise when you do the exact same thing, get the exact same result?
F that.
Neither of those 2 directives deal with "false positives"
One of them is a Package Manager "option" that performs a
Code:
rkhunter --propupd
after dpkg or apt-get is called. and is only valid IF /etc/default/rkhunter is present, which on "manual installs" does not exist. I did not compile 1.4.4)
The other tells you, the "sysadmin" that something needs to be addressed..."Does this host allow root login?"
and if so, deal with it in /etc/rkhunter.conf.local (props for that btw, all the cool kids use /etc/rkhunter.conf.local)
Use flash drive at least for important (relative to work) stuff. Install your OS there. Or you can carry SSD with you.
If its not work related - nothing to wary about - hacks are common.
I have a spare eMMc card with an odroid-c2 it attaches to, for my important stuff.
Use flash drive at least for important (relative to work) stuff. Install your OS there. Or you can carry SSD with you.
If its not work related - nothing to wary about - hacks are common.
Plenty to worry about with Bad Advice.
Quote:
Originally Posted by tuxthegreat
Indeed I found the bit that rkhunter was yelling about here :
Should I change the USER=YES to a USER=NO and restart the process ?
Code:
grep ^PermitRootLogin /etc/ssh/sshd_config
compared to
Code:
grep ALLOW_SSH_ROOT_USER /etc/rkhunter.conf.local
What you need to do is:
read the ubiquitous Comments in /etc/rkhunter.conf
specifically
Code:
#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not match.
# However, if a value has not been set in the SSH configuration file, then a
# value here of 'unset' can be used to avoid warning messages.
#
# The default value is 'no'.
#
#ALLOW_SSH_ROOT_USER=no
and this is re-iterated when you try to run rkhunter.
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
Rkhunter isn't much defense, but it's even less so after the fact, because it doesn't know what the system should look like. It's like walking into a strange house for the first time and trying to determine what's missing from before you ever saw it.
To me, such tools amount to: "the boy who cried, 'wolf!'"
Even if your system was left on while unattended, if the user was not a member of the wheel group and the interloper didn't know your login password, then (s)he would be confined to tinkering with "your stuff." The majority of the system would be protected. And the odds of any surreptitious person actually being able to compromise the system so thoroughly as to install a root kit are damned-near zero. But a "root-kit hunter" doesn't know that.
"Security is a process." That point can't be over-emphasized. You can't "buy or download a (blind ...) tool" and obtain security by doing so. Peter Norton & Company made tons of money by contracting with Microsoft to include a copy of their products with every sale, but they didn't do the world of computing any service.
You have to know when to worry. I get the same warning running rkhunter on my FreeBSD machines:
Code:
Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Even though I have edited system files to the contrary. I disable ssh in /etc/rc.conf anyway since I have no need for remote access:
Yes. you're supposed to run --propupd at the optimum time to get a baseline, immediately after installing all your programs if possible, but it does do malware checks, checks for known rootkits and in my case FreeBSD specific checks in addition to check for file changes.
That said, OpenBSD doesn't even include it in their repository.
Last edited by Trihexagonal; 04-20-2018 at 07:17 AM.
I believe the "possible rootkits" is finding programs that are running on your system. I just upgrade to 1.4.6 and its reporting instances of Okular & kate open as possible rootkits. I'm lazy & just leave stuff open perpetually if I'm going to go back to it. I went to runlevel 3 and all the possible rootkits disappeared.
What is a recommended way to audit a desktop system then? Tripwire is not great for a desktop (too many changes), lynis seems like it's built for servers, and chkrootkit seems a bit incomplete.
I am seeing the following output from rkhunter:
Code:
..snip..
[07:04:19] Checking for suspicious (large) shared memory segments [ Warning ]
[07:04:19] Warning: The following suspicious (large) shared memory segments have been found:
[07:04:19] Process: /usr/lib64/firefox-52.7.3/firefox PID: 7882 Owner: user Size: 7.6MB (configured size allowed: 1.
0MB)
[07:04:19] Process: /usr/lib64/firefox-52.7.3/firefox PID: 7882 Owner: user Size: 7.6MB (configured size allowed: 1.
0MB)
[07:04:19] Process: /usr/lib64/thunderbird-52.7.0/thunderbird PID: 8044 Owner: user Size: 7.6MB (configured size all
owed: 1.0MB)
[07:04:19] Process: /usr/lib64/thunderbird-52.7.0/thunderbird PID: 8044 Owner: user Size: 7.6MB (configured size all
owed: 1.0MB)
[07:04:19] Process: /usr/lib64/thunderbird-52.7.0/thunderbird PID: 8044 Owner: user Size: 1.0MB (configured size all
owed: 1.0MB)
..snip..
[07:04:38] System checks summary
[07:04:38] =====================
[07:04:38]
[07:04:38] File properties checks...
[07:04:38] Files checked: 194
[07:04:38] Suspect files: 5
[07:04:39]
[07:04:39] Rootkit checks...
[07:04:39] Rootkits checked : 511
[07:04:39] Possible rootkits: 5
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
rkhunter found 2 possible rootkits
