Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Re: the rkhunter.log. I believe it was truncated by whoever was accessing my computer, and I truncated it myself in order for it to be small enough to be uploaded. There are still several interesting messages in what I did upload, and what had been deleted by hacker were as far as I can remember once again reported in a later part of the log that I uploaded anyway. I am stumped because all of the usual advice given about dealing with rootkits isn't working in this case, hence the LQ question.
/
Quote:
Originally Posted by mazinoz
My reason for believing there is still a problem is the turning off of the firewall and skdet finding a variety of unidentified open ports. Unhide brute also finds hidden processes. Then there is the image from a long ago SuSE installation that comes up if I shutdown via Kmenu, logoff, bottom Menu, shutdown.
/
Quote:
Originally Posted by mazinoz
I have attempted to upload again but could only do this by truncating rkhunter.log file. I noticed there is now a new message about anacron. Similarly for mail log. I found it difficult as well because I was using a live CD and hard drive was encrypted and I couldn't mount it in Ubunutu. The message about the infection was in the mail log. I will now proceed to zero and shred and double check log off problem from the fresh install. Will then install security and other applications.
With all due respect but what you need to do is calm down and start from the beginning. Heading off in all sorts of exotic directions to "fix" things based on your hunches of what you think is wrong (and without giving thought, without allowing for analysis or explanation) is not the right approach. As example I submit your previous Suck-IT thread here.
So, and I need to be a bit more strict here (but with good reason): cut out the zeroing out and reformatting for now and please provide proper evidence before proceeding. If you fail to upload logs due to size compress them first. If that doesn't work upload the logs to some free hosting service. If you do not want to do that send me an email, I'll reply, then you can attach logs.
Quote:
Originally Posted by chigurh8
I don't know too much about security (..) I don't know too much, I just have tripwire and antivirus and firewall ... I've been reading.
...then by all means you're invited to sit back and hang around. But please let (perceived) security incidents be handled by those with a wee bit more experience. Thanks for understanding.
Last edited by unSpawn; 07-20-2009 at 07:09 AM.
Reason: //typo
If you start from a zeroed drive, and installed from a magazine DVD, you won't get reinfected. Even if the malware was a wizard in hiding files in a reserved area of the HD, code needs to be run to bring it back. It is far more possible that an attacker was able to re-infect your computer the same way he did originally. You could take it off line and re-run rkhunter. Try to run it from a live distro if possible. Mount your root disk under /mnt and run chkrootkit with the "-r /mnt" argument.
from the chkrootkit README:
Code:
Sometimes is a good idea to mount the disk from a compromised machine
on a machine you trust. Just mount the disk and specify a new
rootdir with the `-r' option.
For example, suppose the disk you want to check is mounted under
/mnt, then:
# ./chkrootkit -r /mnt
Since you are going to install Fedora 11, the advice above may be moot for now.
Some services and programs will be cause false positives. If you see an email by rkhunter, after reinstalling, that could be the reason.
If you were compromised in the past, make sure you use different passwords, including for your router.
I decided to sleep and burn DVD etc in morning. This morning I gave it one last shot and searched forums for hard drive cleansing and found this information under 'How to do everything with dd.'
The replies I've seen in the security forum are inadequate as they just quote something like dd if=zero of=/dev/hda.
The more detailed explanation holds the key.
Disks, even though there is LBA addressing now, still secretly are read in sectors, cylinders, and heads. There are 63 sectors per cylinder, and 255 heads per cylinder. Then there is a total cylinder count for the disk. You multiply out 512x63x255=bytes per cylinder. 63x255=sectors per cylinder. With dd you usually want to work with sectors per cylinder. With 234441647 total sectors, and 16065 sectors per cylinder, you get some trailing sectors which do not make up an entire cylinder, 14593.317584812. This leaves you with 5102 sectors which cannot be partitioned because to be in a partition you have to be a whole cylinder. Part cylinders do not count. It's like having part of a person. That doesn't really count as a person. So, what happens to these sectors? They become surplus sectors after the last partition. This a perfect place for sneaky programs to play, because you can't ordinarily read in there with an operating system. But, dd can.
It is really a good idea to check for anything writing to surplus sectors. For our Seagate 120 GB drive you subtract total sectors(234441647)-(5102) which don't make up a whole cylinder=234436545 partitionable sectors. Remember, native HDD sectors are 512, or 1b. If you don't specify “bs” in dd it defaults to 512.
dd if=/dev/sda of=/home/sam/myfile skip=234436545
this writes the last 5102 sectors to myfile. Launch “mc” to view the file. I swear, half the time Windows XP
has left a weird, mutated MBR there. It like marks the disk for life that XP was there.
If there is something in there, you do not need it for anything. In this case you would write over it with random characters. Many digital rights management programs use surplus sectors to operate from, while enforcing DRM. These trojans, which are corporate trojans, are meant to enforce the security measures in copyrighted software. There are other various means to conceal such a trojan. One of these is a hidden partition. There is an undocumented type of partition which is called hidden. It is not visible to any operating system.
Sorry Ischwal and Unspawn. Read your comments after above post. I was not trying to be difficult. Will finish reading what you have said, think about it and decide what to do next, if successful I'll let you know.
Thanks to both of your for your recent replies. I understand what you are saying about being methodical. I do think a bit differently to trained engineers as I tend to come up with more questions than answers, more possible explanations than they do. Don't know why, just the way it is, possibly because I am still learning stuff that they take for granted.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.