LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-22-2005, 05:09 PM   #1
firedance
Member
 
Registered: Dec 2003
Location: Sweden
Distribution: Arch Linux
Posts: 65

Rep: Reputation: 15
viruses?


Well i just came to think about how i would know if i had a virus on linux.
I'm quite sure I wouldn't.
I started to think that my user has not that much access to make a virus effective but then i think: I enter the root password many times every day, when installing changing settings etc, couldn't the virus just look what i type? like a keylogger. Or if what i am installing is a virus, how could i know? i know nothing about linux security, Maybe there is a virus installed by default in my dist that nobody has noticed, how could I know? how could I secure my system? somebody could have switched my kernel! so now I'm running 2.6.10-1.741_FC3.virus instead of 2.6.10-1.741_FC3.stk16 , but of course it is named as my kernel. I always thought that linux was much more secure than windows, just because everybody says it is. But how could i know? i know nothing about linux security, linux could be a virus itself and i wouldn't notice.
 
Old 01-22-2005, 06:25 PM   #2
HolyCoitus
LQ Newbie
 
Registered: May 2004
Location: Fort Wayne, Indiana
Distribution: Gentoo and Debian
Posts: 4

Rep: Reputation: 0
On Linux, what would be called a Virus in Windows would be more likely called a rootkit. chkrootkit and rkhunter are good programs for checking to see if you have a rootkit installed.

http://www.rootkit.org/
http://www.chkrootkit.org/

If you're interested in actively scanning for malicious traffic or possible intrusions, I would say to check out an IDS or integrity checker. Tripwire and Snort are two of the more popular choices to my knowledge. Tripwire will check your files to see if they have changed while Snort is great for scanning active traffic.

http://www.tripwire.org/
http://www.snort.org/

Hopefully this is the kind of thing you're interested in.
 
Old 01-22-2005, 07:50 PM   #3
firedance
Member
 
Registered: Dec 2003
Location: Sweden
Distribution: Arch Linux
Posts: 65

Original Poster
Rep: Reputation: 15
perfect! thanks!
---
hmm
Code:
 rkhunter --checkall --quiet
Line:
                                                 [ BAD ]
Line: \033[49C[ BAD ]
                                                 [ BAD ]
Line: \033[49C[ BAD ]
                                                  [ BAD ]
Line: \033[50C[ BAD ]
                                              [ BAD ]
/usr/sbin/prelink: "/usr/bin/groups" is not an ELF file

Line: \033[46C[ BAD ]
                               [ Warning! ]
Line: \033[31C[ Warning! ]
Watch out Root login possible. Possible risk!
Line: Watch out Root login possible. Possible risk!
                         [ Warning (SSH v1 allowed) ]
(other scan with only bad parts)
Code:
   /bin/egrep                                                [ BAD ]
   /bin/fgrep                                                 [ BAD ]
   /bin/grep                                                  [ BAD ]
/sbin/syslogd                                              [ BAD ]   

Scanning for hidden files...                               [ Warning! ]
---------------
 /dev/.udev.tdb /etc/.pwd.lock
/etc/.fstab.hal.e
/etc/.fstab.hal.4
/etc/.java

MD5
MD5 compared: 43
Incorrect MD5 checksums: 4

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 1
ok, does this mean that I'm ok even if 4 md5 checksums are wrong?


Last edited by firedance; 01-22-2005 at 08:15 PM.
 
Old 04-10-2007, 10:03 PM   #4
joelunch
LQ Newbie
 
Registered: Dec 2005
Posts: 10

Rep: Reputation: 0
Did you work out what the "Line:" issue was about? We keep getting it but I can't find any such file.
 
Old 04-10-2007, 10:19 PM   #5
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
You have root over sshv1 enabled. This is bad.

As for syslogd reporting bad, do you know if your distro runs custom (source-edited, not custom config) of syslogd? If it wasn't syslogd, I'd think nothing of it, but since it's your system logger (could be modified to not trace the attacker in your logs), I'd be worried. I'm not saying do a complete reinstall, but definitely look into it!

Did you use your distro's repository to install rkhunter and chkrootkit? If so, I'd be even more worried.

I'm not telling you this is necessary, but I'm paranoid enough for that to convince me to reinstall (and make sure remote root login via ssh is disabled and sshv2 is configured to be the only version allowed).

One thing you can do in the future is install syslogd from stock, then download the source and modify it to use another configuration file. Create a new configuration file in a weird location, set syslogd to log to a remote machine, and then recompile/reinstall syslog. If you can, put the "real" config file on a read-only filesystem, such as a CD or DVD.

Yes, it's security through obscurity, I realize this. But if you leave the original config file alone then many attackers will check it and think you aren't using remote logging, when in fact you are. Then you can routinely check your remote logs and know when something is up.

Of course, this doesn't help much when the attacker has root access, but it's a start.
 
Old 04-16-2007, 07:45 PM   #6
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
What you say is quite true - but it extends to all software and all operating systems.

So, it does become a matter of trust.

Open source allows for a higher trust level, and one assumes the more eyeballs on the code the less likely some malware will slip in there, though of course it is still possible, just less likely than closed source.

Most developers will generate a hash against their source files, so you can check for that, and of course that makes it harder for a third party to install malcode, though yet again not impossible.

Tripwire and other hashing software act as a good indication if you have been compromised, once you assume the system at start is clean, but really if you want to take security seriously you have to subscribe to the various security alert sites.

cert.org is a quite good one.

Just remember though that if someone cracks into your system you do have legal recourse in most countries, and the penalties if found guilty are getting quite stiff now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
When it comes to Viruses......??? unixfreak Linux - Security 3 08-27-2004 03:51 AM
viruses need help citizen_x Linux - Security 6 04-29-2004 11:57 PM
Viruses teyesahr Linux - Newbie 2 09-09-2003 11:55 AM
viruses nautilus_1987 Linux - General 5 10-04-2002 11:30 PM
Viruses? Will Linux - Security 2 11-08-2001 12:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration