digg

Facebook Connect Join Digg About

How to scan your Linux-Distro for Root Kits

howtoforge.com Do you suspect that you have a compromised system ? Check now for root kits that the intruder may have installed !!! .

Who dugg this? Made popular May 15, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

51 Comments

show profanity settings
expand all
  • dj_sea2005, on 10/12/2007, -0/+18the description sounds like a really bad pop-up advert
  • muyuu, on 10/12/2007, -1/+18It you have the permissions, you can do whatever to your linux system. You can even compromise it.
  • traherom, on 10/12/2007, -4/+19Linux is typically _less_ susceptible, not invulnerable.
  • gbeirne, on 10/12/2007, -1/+14It's the over-zealous punctuation that sells it to me.
  • adml_shake, on 10/12/2007, -2/+13all it takes it time....money....and *****.
  • muyuu, on 10/12/2007, -2/+10That would be dog slow. Same can be achieved by creating a read-only partition.

    Both are overkill IMO. Just don't install crap from untrusted sources. It's not like windows, where going to a webpage can get you infected... or receiving a message in Outlook without even opening it. If you run Linux sanely (ie: not as root) you will have to grant permission explicitly to compromise the system.
  • LucasOman, on 10/12/2007, -1/+8It would be funny if this actually had a rootkit in it !!!!.?
  • Agret, on 10/12/2007, -2/+8wtf? Your ISP doesn't like encryption? I think it's time you changed ISP.
  • bobbob1016, on 10/12/2007, -9/+13Same as with OSX, it can't be compromised without the user saying "OOOOOHHHHH FREE SCREENSAVERS!!!!!!! OMG!!!!!!! SURE I'LL TYPE MY ADMIN PASSWORD!" or something like that.
  • shreevatsa, on 10/12/2007, -1/+5Firstly, the package rkhunter seems to be much more thorough than this chkrootkit. You might as well check with both. On Debian or Ubuntu, the instructions are much simpler than those on the page:
    sudo apt-get install chkrootkit rkhunter
    sudo chkrootkit
    sudo rkhunter
    That's it!
  • Buelldozer, on 10/12/2007, -0/+3If you are sitting behind a NAT device, which most people are, you don't need another firewall installed on a *nix machine (like Ubuntu). The exterior, hardware, firewall handles those duties. BTW, Ubuntu doesn't install a firewall by default.

    If you ever want to know what ports your computer is "listening" on you just need to drop to a command line and issue "sudo netstat -a". However, as long as your exterior hardware firewall is blocking inbound connections it really doesn't matter what your box is listening to, assuming of course that your Ubuntu box is the only thing on your LAN.

    As for A/V, again if all your using is UBUNTU (*nix) you really don't need it. If you are doing fileshares against a Windows box then you should setup CLAM A/V or something similiar to scan those files.

    In the end *nix is more secure then Windows for several reasons. First it simply will not execute the most prevalent "baddies" out there, the Windows ones. Second, it has much more restrictive file permissions then Windows does. Third, the user, by default, is not running in "administrator' or "root" mode, which limits the executable privledges of software attempting to run.
  • malkav, on 10/12/2007, -2/+5@asshate

    Even if you do that, an attacker could still patch the kernel on disk or modify /dev/kmem directly

    but anyway I agree with others, this is retarded
  • kanenas.net, on 10/12/2007, -1/+4Did you notice that...

    ATTENTION !!! DO NOT install chkrootkit on your system and simply run it periodically.
    An attacker may simply find the installation and change it so that it doesn't detect his presence.
    Compile it and put it on removable or read-only media.

    ????
  • Buelldozer, on 10/12/2007, -0/+31 setup and 1 way to do everything? Oh how I am laughing at you right now...

    Here's an example to disprove your myth...

    Start > Settings > Control Panel > Display > Background

    or

    Rt Click desktop > Properties > Background

    Don't ask me about Networking, File Management, or Sound settings either. ;-)
  • embeem, on 10/12/2007, -2/+5Checking for a rootkit from within an exploited system is useless; once the system is compromised you can't trust anything done from within it, period.

    See "Reflections on trusting trust" for a good example
    http://www.acm.org/classics/sep95/

    GreatBunzinni: There are bugs in various programs that can give attackers root access, and once in they will often install a rootkit. The concept that you have to "knowingly install it as root" is false, in the sense that the root that installed the rootkit might not be the actual system administrator.
  • Hydraulix, on 10/12/2007, -1/+3Rkhunter is better.

    http://www.rootkit.nl/
  • Drizzit, on 10/12/2007, -0/+2only attempt to remove a rootkit if you know you're smarter than the guy that rootkitted you. Otherwise cut your losses and reformat.
  • Egoist, on 10/12/2007, -0/+2@mooninite: You really have no idea what you're talking about, do you?

    A rootkit would typically be installed on a linux box after an intruder has gained root access to your system to clear their tracks and allow easy access on return. These are different than Sony-esque "rootkits."
  • willcode4beer, on 10/12/2007, -0/+2omg, I'm so l33t that I remaped the caps-lock key to be the control key.
  • richbradshaw, on 10/12/2007, -2/+3#chkrootkit | grep infected

    Checking `basename'... not infected
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `gpm'... not infected
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not infected
    Checking `inetdconf'... not infected
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... not infected
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `netstat'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `traceroute'... not infected
    Checking `vdir'... not infected
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `asp'... not infected
    Checking `bindshell'... not infected
    Checking `w55808'... not infected
    Checking `scalper'... not infected
    Checking `slapper'... not infected

    Phew!
    If you want to be extra careful then you should run this from a live-cd or other readonly medium, else a hax0r could modify your installation to make this not pick up any rootkit they placed there.
  • miaow, on 10/12/2007, -0/+1thanks Buelldozer for the great reply.

    The only thing I am confused about is that I read ubuntus default firewall is libtables(??) and that firestarter is just the GUI if they want to view it easily. Anyhow, I take your point that a 'hardware' firewall is the best for any computer .

    I suppose its a case of getting used to the terminology again, like I once had to with windows. I feel it could be easier though. I see ubuntu has rkhunter installed but I haven't a clue how to run it.

    Im also reading that using tools from a live cd (like knoppix) is a good option for checking out the hard drive every once in a while.

    Thanks again for the good explanation.
  • miaow, on 10/12/2007, -0/+1as a ubuntu newbie, it needs to be made much clearer as to how we can secure our pcs. im not convinced by all the talk about linux being safer. this is the sort of talk a hacker wants to read. ubuntu has a windows 95 security feel to me, where everything is too trusting and open. for instance if you install opera, suddenly the firewall is compromised ??? I dunno, but i read installing unofficial software means that port can be listened to.

    everyone was going on about apple and firefox being more secure (which i dont believe) and this week we have umpteen patches for quicktime. any hacker will always want to read about people going on about a brand being secure.

    ubuntu needs simple anti-virus software installed (aegis vanishes for me when i try and install it) along with a firewall that works basically like zone-alarm or whatever. newbie ubuntu users are likely the easiest new target on the net (Im guessing) although dumb window users who have no idea about security are probably still the main target for fraudsters.

    not sure how right or wrong I am, but this is how it feels.
  • c0uchm0nster, on 10/12/2007, -1/+2You know how Windows machines download like 5 patches every 4 weeks that say "which allowed remote code execution"? Well, bugs like that effect Linux apps as well - the difference is they get patches in a few hours in most cases versus a few months. No one needs a root password to gain root-like (or better) permissions - that's just the most obvious and consistent route to it.
  • UnderLoK, on 10/12/2007, -0/+1Yes I know how to use man and --help, but the point of a howto is for it to be done as you would a procedure. You treat the reader as a complete idiot.
  • hyperfocal, on 10/12/2007, -0/+1Knoppix STD (Security Tools Distribution, not the other kind of STD) is a live CD full of security tools including chkrootkit.

    http://S-T-D.org

  • Egoist, on 10/12/2007, -2/+3embeem's correct. Restoring a system from trusted backups is the only real solution if you know your system's been compromised. On production servers, I create mirrors of the system after major configuration changes (typically after a new kernel or recompile of MySQL/PHP/Apache) and then if there's a problem, I do a dump from the DVD back to the system, then restore all recent data from backups and I'm up and going within an hour. I've only done this for hardware failures as no server I've managed in the last 5 years or so has been rooted.

    No sysadmin worth their bits would trust any sort of rootkit sniffer to make their boxes secure again.
  • Agret, on 10/12/2007, -1/+2"Having in mind that the supposed rootkit checker claims it checks utilities that are part of the GNU binutils toolkit, who in their right mind will install them from a non-trustworthy source? There isn't even a need to reinstall them because they are installed by default."

    Uhh thats the point, if they get comprimised you'll never know and never re-install them. The tool checks to see if they have been infected duhhhh
  • inactive, on 10/12/2007, -1/+2It's a big jump from scripting loadable modules to stealth hacks via kmem.
  • embeem, on 10/12/2007, -2/+3It just occurred to me that most of the people reading this story have absolutely no idea what a rootkit is besides the DRM/anti-piracy crap that Sony was in the news for a few months back.

    A rootkit is the generic term for software that is installed (traditionally by an intruder, more recently by large corporations) to hide their presence/activity on the system, and often to give them a backdoor into the system again, even after the original bug that gave them access is patched. It's not uncommon to see the intruders patch the original holes themselves to prevent any other intruders from gaining access to the system, particularly when the infected system is used to distribute pirated content.
  • Agret, on 10/12/2007, -1/+2"It just occurred to me that most of the people reading this story have absolutely no idea what a rootkit is"
    Don't worry, those won't be the people that are running Linux. Anyone with the skills to install Linux would definately know what a rootkit is.
  • richbradshaw, on 10/12/2007, -1/+1well. just type chkrootkit in bash and you are done. chkrootkit is available from the repositories so no need to compile from source unless you are paranoid (which you prob should be about rootkits :) ). That's it...
  • GreatBunzinni, on 10/12/2007, -2/+2That's what popped up in my mind when I read the site. To install rootkits on a Linux system you must knowingly install it as root. If you only install software from your linux distribution's repositories then I doubt there is a risk associated with it.

    Having in mind that the supposed rootkit checker claims it checks utilities that are part of the GNU binutils toolkit, who in their right mind will install them from a non-trustworthy source? There isn't even a need to reinstall them because they are installed by default.
  • socket, on 10/12/2007, -1/+1Worst how-to ever.
  • zeio, on 10/12/2007, -0/+0I wouldn't recommend this method: I would recommend using Knoppix Live CD or something similar, then running both chkrootkit and full ClamAV scan. It is hard to detect root kits if the kernel has rootkit modules loaded or in the case of one box I claned the init program was the source of infection. This method can also be useful to run Clam on windows systems, but I prefer running PartPE or ERD bootdiscs and running the win32 douching utilities.

  • t0k0l0sh, on 10/12/2007, -0/+0@malkav

    The risk of attacks on /dev/kmem and various other similar methods commonly used to load LKM (Linux Kernel Module) trojans and other nasty code can be mitigated by

    A) compiling a monolithic kernel (no loadable module support)
    or even better,
    B) compiling a GR-Security-patched kernel (www.grsecurity.net)

    See http://www.grsecurity.net/features.php for a complete list of abilities/features this patch provides.
  • mooninite, on 10/12/2007, -3/+2It would be extremely unlikely to get a rootkit on a GNU/Linux machine. In order to be installed you would have to be dumb enough to allow it by giving away your password, and it would have to be a kernel module - which I don't think the kernel module ABI allows giving god-like powers to modules.

    Marked as lame.
  • inactive, on 10/12/2007, -1/+0Personally I prefer hacking x86 linux to any other OS. granted this is more preference than anything but it is definatly the platform that the majority of security research has been done on. Also most certaily the easiest platform to write shellcode on with int 80 and all. As for chkrootkit I have used it in the past but would hardly call it a failsafe check.
  • UnderLoK, on 10/12/2007, -3/+2This is a good thing to know, but the how to is short on detail for users that are clueless.
  • shakeyshakey, on 10/12/2007, -2/+0I tought you have the "MOST SECURE OS EVA OMG, WINDOW$ BLOWS"
    anyway not a bad article, but no digg since the linux fanboys are firing a machine gun of articles this days.
  • Haiyadragon, on 10/12/2007, -3/+0Make sure nobody on the computer has an extremely simple password or don't have ssh enabled for all users. I made that mistake and my ISP wasn't too happy with the number of outgoing encrypted connections.
  • c0uchm0nster, on 10/12/2007, -4/+1"Anyone with the skills to install Linux". Yes, those m4d h4x0r skillz needed these days to click the next button a few times and type in your name or a nickname.

    That's right folks, once you finally do have "desktop linux" you're going to have to deal with a flood of all the retarded folks doing retarded things. only now it's going to be on linux which has 8 million different setups and 8 million ways to do one thing, whereas windows only has 1 setup and 1 way to do everything.
  • redneckblues, on 10/12/2007, -7/+2Glad to see Sony's embracing open-source!
  • richbradshaw, on 10/12/2007, -7/+2Umm..
  • inactive, on 10/12/2007, -8/+2Compile a static kernel, have a copy of /sbin and /bin on a cdrom.
  • brandonking, on 10/12/2007, -8/+1OMG A ROOTKIT ONLY COMES FROM SONY BECAUSE THEY MADE BETAMAX AND WANT TO FORCE EVERYONE TO VOTE FOR THEM IN THE MEMORYSTICK VERSUS XD CARD WARS. I DON'T HAVE TO WORRY BECAUSE I GOT A MAC RUNNING LINUX SO I HAVE NO PROBLEMS LOLOLOL. I USE THIS COMPUTER BECAUSE IT CANT GET INFECTED. THAT AND WITH THE MASSIVE HEAD TRAUMA IT MEANS I NEED THINGS MY MOM CALLS 'SLOWER'.
  • tuxuser, on 10/12/2007, -9/+2firts off linux is a fortress you can't touch it.
  • spc2226, on 10/12/2007, -9/+1Lame
  • Yaroslav, on 10/12/2007, -9/+1[ok this is lame]
  • cwcheang, on 10/12/2007, -15/+5that's why the ;-) face is down there... duh..
  • DaffyDuck, on 10/12/2007, -13/+1...

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.