Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-22-2005, 05:09 PM
|
#1
|
Member
Registered: Dec 2003
Location: Sweden
Distribution: Arch Linux
Posts: 65
Rep:
|
viruses?
Well i just came to think about how i would know if i had a virus on linux.
I'm quite sure I wouldn't.
I started to think that my user has not that much access to make a virus effective but then i think: I enter the root password many times every day, when installing changing settings etc, couldn't the virus just look what i type? like a keylogger. Or if what i am installing is a virus, how could i know? i know nothing about linux security, Maybe there is a virus installed by default in my dist that nobody has noticed, how could I know? how could I secure my system? somebody could have switched my kernel! so now I'm running 2.6.10-1.741_FC3.virus instead of 2.6.10-1.741_FC3.stk16 , but of course it is named as my kernel. I always thought that linux was much more secure than windows, just because everybody says it is. But how could i know? i know nothing about linux security, linux could be a virus itself and i wouldn't notice.
|
|
|
01-22-2005, 06:25 PM
|
#2
|
LQ Newbie
Registered: May 2004
Location: Fort Wayne, Indiana
Distribution: Gentoo and Debian
Posts: 4
Rep:
|
On Linux, what would be called a Virus in Windows would be more likely called a rootkit. chkrootkit and rkhunter are good programs for checking to see if you have a rootkit installed.
http://www.rootkit.org/
http://www.chkrootkit.org/
If you're interested in actively scanning for malicious traffic or possible intrusions, I would say to check out an IDS or integrity checker. Tripwire and Snort are two of the more popular choices to my knowledge. Tripwire will check your files to see if they have changed while Snort is great for scanning active traffic.
http://www.tripwire.org/
http://www.snort.org/
Hopefully this is the kind of thing you're interested in.
|
|
|
01-22-2005, 07:50 PM
|
#3
|
Member
Registered: Dec 2003
Location: Sweden
Distribution: Arch Linux
Posts: 65
Original Poster
Rep:
|
perfect! thanks!
---
hmm
Code:
rkhunter --checkall --quiet
Line:
[ BAD ]
Line: \033[49C[ BAD ]
[ BAD ]
Line: \033[49C[ BAD ]
[ BAD ]
Line: \033[50C[ BAD ]
[ BAD ]
/usr/sbin/prelink: "/usr/bin/groups" is not an ELF file
Line: \033[46C[ BAD ]
[ Warning! ]
Line: \033[31C[ Warning! ]
Watch out Root login possible. Possible risk!
Line: Watch out Root login possible. Possible risk!
[ Warning (SSH v1 allowed) ]
(other scan with only bad parts)
Code:
/bin/egrep [ BAD ]
/bin/fgrep [ BAD ]
/bin/grep [ BAD ]
/sbin/syslogd [ BAD ]
Scanning for hidden files... [ Warning! ]
---------------
/dev/.udev.tdb /etc/.pwd.lock
/etc/.fstab.hal.e
/etc/.fstab.hal.4
/etc/.java
MD5
MD5 compared: 43
Incorrect MD5 checksums: 4
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 1
ok, does this mean that I'm ok even if 4 md5 checksums are wrong?
Last edited by firedance; 01-22-2005 at 08:15 PM.
|
|
|
04-10-2007, 10:03 PM
|
#4
|
LQ Newbie
Registered: Dec 2005
Posts: 10
Rep:
|
Did you work out what the "Line:" issue was about? We keep getting it but I can't find any such file.
|
|
|
04-10-2007, 10:19 PM
|
#5
|
Member
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Rep:
|
You have root over sshv1 enabled. This is bad.
As for syslogd reporting bad, do you know if your distro runs custom (source-edited, not custom config) of syslogd? If it wasn't syslogd, I'd think nothing of it, but since it's your system logger (could be modified to not trace the attacker in your logs), I'd be worried. I'm not saying do a complete reinstall, but definitely look into it!
Did you use your distro's repository to install rkhunter and chkrootkit? If so, I'd be even more worried.
I'm not telling you this is necessary, but I'm paranoid enough for that to convince me to reinstall (and make sure remote root login via ssh is disabled and sshv2 is configured to be the only version allowed).
One thing you can do in the future is install syslogd from stock, then download the source and modify it to use another configuration file. Create a new configuration file in a weird location, set syslogd to log to a remote machine, and then recompile/reinstall syslog. If you can, put the "real" config file on a read-only filesystem, such as a CD or DVD.
Yes, it's security through obscurity, I realize this. But if you leave the original config file alone then many attackers will check it and think you aren't using remote logging, when in fact you are. Then you can routinely check your remote logs and know when something is up.
Of course, this doesn't help much when the attacker has root access, but it's a start.
|
|
|
04-16-2007, 07:45 PM
|
#6
|
Member
Registered: Mar 2007
Posts: 119
Rep:
|
What you say is quite true - but it extends to all software and all operating systems.
So, it does become a matter of trust.
Open source allows for a higher trust level, and one assumes the more eyeballs on the code the less likely some malware will slip in there, though of course it is still possible, just less likely than closed source.
Most developers will generate a hash against their source files, so you can check for that, and of course that makes it harder for a third party to install malcode, though yet again not impossible.
Tripwire and other hashing software act as a good indication if you have been compromised, once you assume the system at start is clean, but really if you want to take security seriously you have to subscribe to the various security alert sites.
cert.org is a quite good one.
Just remember though that if someone cracks into your system you do have legal recourse in most countries, and the penalties if found guilty are getting quite stiff now.
|
|
|
All times are GMT -5. The time now is 09:18 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|