Detecting Rootkits In GNU/Linux

ifl by stoolpigeon · 2006-12-18 08:21 · Score: 3, Informative

I think that there is room to mention the well known tools such as AIDA and TripWire and LogCheck.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?

Re:ifl by Moby+Cock · 2006-12-18 08:39 · Score: 4, Informative

Most modern rootkits are kernel level and Trip Wire can not readily detect them. Nevertheless it is still useful to have at hand.
Re:ifl by stoolpigeon · 2006-12-18 08:44 · Score: 4, Funny

i have no idea. i've never used any of them. this is a joke gone completely wrong. i just copied and pasted the comment from over at tfa. hence my subject: ifl (it's funny laugh). i figured it'd end up troll, over-rated, but i got such a laugh out of doing it (sorry i'm easily amused) that i figured it was worth it. in what is a horrid twist of fate, i now feel bad for getting modded up.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Re:ifl by computational+super · 2006-12-18 09:05 · Score: 3, Insightful

You know, one of the things I'd like to do if I had more time and knew how to do it would be to create a bootable "system scan" disk. A rootkit could hide itself from tripwire et al, but it couldn't hide from a bootable CD. I guess you can sort of achieve the same effect with Knoppix with a bit of work, but it would be nice to have something that I could use to scan a machine for vulnerabilities without using the hard drive to boot at all.

--
Proud neuron in the Slashdot hivemind since 2002.
Re:ifl by Anonymous Coward · 2006-12-18 09:59 · Score: 3, Informative

Something like this?
Re:ifl by jamesh · 2006-12-18 12:21 · Score: 1

Never underestimate the ingenuity of a hacker... consider the following (theoretical) possibilities:

. The system could be almost completely restored on an orderly shutdown, leaving nothing detectable but a single hook (hide everything else in swap or unused sectors in filesystem)

. Even without an orderly shutdown, a rootkit could keep stuff in the unused parts of the harddisk all the time, the rootkit would take care of not overwriting it.

. MD5 hashes can be subverted, which means the above mentioned initial hook could hide (I believe this is only really useful if the hook was in the original package and you are turning it on by changing a single bit)

. The machine BIOS (or any other flash that is involved in the boot sequence) could be compromised with a VM based rootkit, meaning that anything booted by the BIOS could be undetectable (you'd need to take the disk out to find it)

. The harddisk firmware could be compromised, hiding the rootkit even if it was running in another machine (eg return zeros on read of the hidden rootkit sectors unless activated)

The solution to this of course is a hardware based 'trusted computing' environment. That way only the manufacturers and governments could install rootkits, and I'm sure we can all trust them! If the 'trusted' model itself was ever compromised though (and it would be), then we'd really be screwed.

But theory aside, you are correct. Almost all of the above would require an attack specifically targeted to you. And if someone wants to 0wn you that badly then they will, by network or by shotgun.

An offline validation would certainly be enough to satisfy me.
Re:ifl by physicsnick · 2006-12-18 19:36 · Score: 1

Don't feel bad. I laughed.
Re:ifl by bl8n8r · 2006-12-18 23:56 · Score: 1

Knoppix doesn't use the hard drive to boot. At all. You can take the hard drive out of your comp, put it in the microwave, and knoppix will still boot. It's that amazing.

--
boycott slashdot February 10th - 17th check out: altSlashdot.org
Re:ifl by in10d · 2006-12-19 00:28 · Score: 1

I think that there is room to mention the well known tools such as AIDA and TripWire and LogCheck.
It's AIDE.
Re:ifl by extern_void · 2006-12-19 03:53 · Score: 1

TripWire? kill me! Dont you know that (as said before) kernel level rootkits (known as LKM rootkits)
are coded to hide itself from such userland programs?
Common LKM rootkits are written in a way to hijack system calls (look: linux/syscall.h)
so, right before Tripwire and similar tools get in scene they already got hidden.
It is very trivial to code such rootkit.
Re:ifl by stoolpigeon · 2006-12-19 04:26 · Score: 1

um, read this maybe your viewing preferences have it buried.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Re:ifl by Jackmn · 2006-12-19 04:44 · Score: 2, Informative

. The system could be almost completely restored on an orderly shutdown, leaving nothing detectable but a single hook (hide everything else in swap or unused sectors in filesystem)
The only way to leave a 'hook' on any common setup is to modify the storage medium of the OS or modify the firmware of a piece of hardware. Both can be detected, and there's no way to prevent that.

MD5 hashes can be subverted, which means the above mentioned initial hook could hide (I believe this is only really useful if the hook was in the original package and you are turning it on by changing a single bit)
There is no known computationally viable way any decent hash can be 'subverted' in the manner you are implying. Changing a single bit will completely change the hash of a binary with any decent hashing algorithm. You're not going to be able to find a hash collision that provides you with a binary that is the same size as the one you are replacing and does everything you want.
Re:ifl by jamesh · 2006-12-19 09:55 · Score: 1

The only way to leave a 'hook' on any common setup is to modify the storage medium of the OS or modify the firmware of a piece of hardware. Both can be detected, and there's no way to prevent that.

But you can prevent it from being easily detected. Especially the theoretical BIOS VM kit I mentioned. If you can place the whole operating system inside a virtual machine, then it is virtually impossible to detect without taking the BIOS chip out and reading it offline. Any attempt to detect the compromise would be emulated by the VM and could tell the detection code that everything is fine. A long running timing attack could possibly detect it, but even that could be subverted in theory...

There is no known computationally viable way any decent hash can be 'subverted' in the manner you are implying. Changing a single bit will completely change the hash of a binary with any decent hashing algorithm. You're not going to be able to find a hash collision that provides you with a binary that is the same size as the one you are replacing and does everything you want.

Under MD5 there are some single bits that do not affect the outcome of the MD5 hash. The hack I was referring to was that you release a binary with your hook code already in there but sleeping, and then can activate it later by modifying a single bit in the binary that activates the hook. Kind of a long way of doing it, but possible and documented

Also, plug "MD5" and "Collision" into google and see what comes up. I think you might be surprised. I don't think MD5 is really recommended anymore though for exactly this reason, and other hashes are, as you are saying, a lot harder to subvert.
Re:ifl by Jackmn · 2006-12-19 13:31 · Score: 1

But you can prevent it from being easily detected. Especially the theoretical BIOS VM kit I mentioned.
Restoring the default firmware for hardware would be one of the first things done when a rootkit is suspected.

Under MD5 there are some single bits that do not affect the outcome of the MD5 hash.
Generating collisions is not that trivial. The only viable way to generate a MD5 collision involves creating both files involved. You cannot generate a same-size collision for a file that you did not specially craft for the purpose. In any realistic setup you don't have the luxery of being both the official distributer of the binaries a company or individual uses, and being the person implementing the rootkit. If you were both then you may as well just infect the official binaries and not worry about rootkits.
Re:ifl by jamesh · 2006-12-19 14:55 · Score: 1

Restoring the default firmware for hardware would be one of the first things done when a rootkit is suspected.

Assuming a sufficiently sophisticated VM based rootkit, it couldn't be done. Any attempt to write back to the firmware would be subverted. Any attempt to verify what was already there would pass as the rootkit would tell the verification utility exactly what it wanted to hear.

The only way to do it would be to physically remove the flash chip from the system and wipe it out of the box.

Generating collisions is not that trivial. The only viable way to generate a MD5 collision involves creating both files involved. You cannot generate a same-size collision for a file that you did not specially craft for the purpose. In any realistic setup you don't have the luxery of being both the official distributer of the binaries a company or individual uses, and being the person implementing the rootkit. If you were both then you may as well just infect the official binaries and not worry about rootkits.

True.
Re:ifl by Jackmn · 2006-12-19 22:57 · Score: 1

Assuming a sufficiently sophisticated VM based rootkit, it couldn't be done. Any attempt to write back to the firmware would be subverted
Any modern BIOS will let you overwrite the firmware no matter what, so your motherboard doesn't suddenly become unrecoverable when you hose the firmware.

This is... by Creepy+Crawler · 2006-12-18 08:23 · Score: 2, Informative

For starters, why you do NOT keep any sort of compiler on your machine.

It's rather difficult to load kernel obfuscation modules (like hiding processes and files) without header files and no compiler.

It'd be even better if you could make every program execute only (no reading) and hide /proc through something like NSASecurity setup. What they dont know, they cant do much with. Obfuscation, THEN security. Keep em guessing.

--

Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37

Re:This is... by Rosco+P.+Coltrane · 2006-12-18 08:27 · Score: 5, Informative

It's rather difficult to load kernel obfuscation modules (like hiding processes and files) without header files and no compiler.

I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Re:This is... by psycho8me · 2006-12-18 08:27 · Score: 5, Interesting

That may have been true 30 years ago when a compiler license cost thousands. If a person has write access to your system, they can just copy a compiler binary over.
Re:This is... by Anonymous Coward · 2006-12-18 08:49 · Score: 1, Interesting

"I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!"

Not on my internet-facing servers. No compilers and hand-compiled monolithic kernel.
Re:This is... by seifried · 2006-12-18 08:54 · Score: 4, Interesting

Does root have access to /proc/kcore? If yes then an attacker with root access can modify the kernel in memory as needed. Heck there's even projects to bring this into the mainstream for carrier grade Linux (no need for those pesky reboots after a kernel upgrade): http://pannus.sourceforge.net/
Re:This is... by diegocgteleline.es · 2006-12-18 08:54 · Score: 3, Funny

Real men and real hackers write their programs in binary code, not in stupid and bloated assembler.
Re:This is... by Will2k_is_here · 2006-12-18 09:28 · Score: 1

Oh what's a Gentoo user to do?
Re:This is... by Anonymous Coward · 2006-12-18 09:37 · Score: 1, Funny

Cuz people who are looking to install rootkits on your computer are very respectful of copywrite law.
Re:This is... by piranha(jpl) · 2006-12-18 10:44 · Score: 1

No no, the real fruitbats disable the kernel module facility entirely. It could be used as a rootkit vector!
Re:This is... by gwait · 2006-12-18 12:30 · Score: 1

How would an unauthorized person get write access to my kernel or operating system files? I keep them all password protected, and I only allow root login on the console.

--
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
Re:This is... by gmack · 2006-12-18 13:49 · Score: 1

How would an unauthorized person get write access to my kernel or operating system files? I keep them all password protected, and I only allow root login on the console.

I do hope your joking but in case you aren't: Attackers gain access by exploiting bugs in either network daemons or web scripts to gain access to the machine. then if they aren't root already they try and find a local utility that can be used to elevate their privileges.
Just because it's Linux does not mean it's secure. If you have any network daemons enabled and your not on top of the security updates, or you run daemons with histories of security problems, you are at risk.
Re:This is... by gmack · 2006-12-18 13:56 · Score: 1

That's crap. The only way to keep people from installing back doors on your system is to keep up with your security updates and only run daemons with good reputations for security. I've seen backdoored glibc so the kernel isn't the only backdoor possibility.

If any of my clients comes to me telling me someone made root on their system my advice is always to backup the data and reformat. I had a guy once refuse my advice and ran several security scanners only to miss one and have his server shut down again a week later. Strangely enough, after that, he took my advice and reformatted.

Backdoor scanners are useless.
Re:This is... by Anonymous Coward · 2006-12-18 15:08 · Score: 0

I changed the number of arguments passed in register. Have fun linking with that.
Re:This is... by Anonymous Coward · 2006-12-18 16:14 · Score: 0

Why don't you just install your whole Operating System computer codes on a write-only drive. Then you wouldn't have to worry about hackers getting access to the computer codes.
Re:This is... by richie2000 · 2006-12-18 19:46 · Score: 1

Oh what's a Gentoo user to do? # emerge -C gcc

--
Money for nothing, pix for free
Re:This is... by Anonymous Coward · 2006-12-18 22:48 · Score: 0

Ofc it would help but ELFs do not need compiler and even with no kernel hack you still can hide the parasite from the admin.

P.S. *BSD and Gentoo would not benefit from this "trick" ;)
Re:This is... by permawired · 2006-12-19 04:23 · Score: 1

I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!

Yea it's a good thing uname is a command no-one has ever heard of! oh shit... oops... sorry guys.
Re:This is... by gwait · 2006-12-19 09:42 · Score: 1

Point well taken, but I do wonder how often these kind of exploits actually happen in the wild on linux or on commercial unixen.
It's been a point of frustration to me to hear the "No system is secure, and people only write viruses for the number one OS" mantra,
and finally with Vista MS has set it up to actually recommend users only install as admin but run at user level privileges that has been
standard procedure in Unix for decades. XP has this potential, but many XP apps require write access to c:\windows to just operate.

I wonder if the Vista registry is still writable by all?

--
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
Re:This is... by gmack · 2006-12-19 10:43 · Score: 2, Insightful

Point well taken, but I do wonder how often these kind of exploits actually happen in the wild on linux or on commercial unixen.

Often enough. Exploits will be written for any OS that has a decent return on investment time wise. These days that means both Windows and Linux. You could actually see this in when the better architected OpenSSH became the standard for most Linux distros the move to Linux brought a bunch of new eyes to go over the code and a bunch of exploits got discovered in a really short time.

Linux isn't the only one of course a couple of years back I left a new FreeBSD install over night without locking it down and discovered a root kit waiting for me in the morning.

I used to get more calls than I get now though. The Linux vendors have improved a lot and removed crap like WuFTPd, sendmail and moved to the rewritten bind9. Those moves a have cut the attack vector and instead of system daemons being the main focus it's badly written web apps being used to gain a shell and then a local root exploit used to gain root.
The really fascinating thing is that I've seen custom PHP scripts get scanned for common programming mistakes and exploited

So all that to say basically Linux gets hit too it is better than Windows by a long shot but it's not perfect. Keep your distro patched.

Ah! No need for rootkit detector... by Rosco+P.+Coltrane · 2006-12-18 08:24 · Score: 4, Funny

... with the Internet Freedom Disk!

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash

Re:Ah! No need for rootkit detector... by Anonymous Coward · 2006-12-18 08:33 · Score: 2, Funny

... with the Internet Freedom Disk!
First it was "freedom fries," and now they've gone and corrupted what was once a perfectly fine Internet French Disk with their misplaced patriotism.

OSSEC HIDS by magmf · 2006-12-18 08:24 · Score: 2, Informative

I PREFFER OSSEC HIDS to do this. look www.ossec.net i think this is the most powerfull agent ever :)

--
Marcus Maciel(ScOrP|On) System/Network Administrator/Security Officer www.underlinux.com.br

Pish Posh by eno2001 · 2006-12-18 08:26 · Score: 5, Funny

It's GNU/Linux. Any hacker worth his salt doesn't want to bother with archaic OSes based on Unix. He wants the 1337 stylings of Windows Vista. No sense in rootkitting a *nix box. You can't do anything with a *nix box. But an army of zombie Vista PCs, now THAT is ULTIMATE POWER!

--
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o

Re:Pish Posh by mysqlbytes · 2006-12-18 08:37 · Score: 0

On the contrary, changing a few lines on a config could easily make a mail relay... an open mail relay, and unless the sysadmins are watching those logs, are see the network impact that server could be spamming millions of people daily.
That or its an entry point, into a company full of interesting information. High risk, but alot of smaller companies take risks in sending data through email every day.
Re:Pish Posh by eno2001 · 2006-12-18 08:59 · Score: 1

You missed the point entirely. With the super smooth graphics of Vista on desktop supercomputers, the hacker will be able to impress his friends with wicked screenshots of the hacked desktop themes he forced on unwilling users. "Oh ho!! So you think the "X" close widget is on the upper right of your window do you? We'll fix that... I'll just dig into Raster's Enlightement theme library and put it in the middle of the bottom of the window and make it a black button on a black background"! The sheer beauty of these hacks will cause females all over the world to drop their shorts and open wide.

Meanwhile the *nix weenie over there who is relaying two terabytes of spam per hour will still be a virgin.

--
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Re:Pish Posh by Anonymous Coward · 2006-12-18 09:04 · Score: 0

So who's 1337 now? The guy getting laid nightly because of his hacked Vista theme virii or the *nix dweeb who is alone nightly save for his hand, some baby oil and photos of Natalie Portman? Bawhawhawhaw!!!
Re:Pish Posh by mysqlbytes · 2006-12-18 09:17 · Score: 0

Hey hey hey, no fair! I'm a linux dweeb, and I'm not home alone! Whats more impressive setting up your girlfriends companys website (LAMP simplicity, 5 minutes work, nixer at 200 Euro an hour) or fixing some spyware install on her friends virus riddled laptop?
Re:Pish Posh by Anpheus · 2006-12-18 16:34 · Score: 1

Fixing her best friend's computer is probably more likely to get you in bed with her than making a webserver.
Re:Pish Posh by nastybastard · 2006-12-19 05:58 · Score: 1

Ah, so that's why Microsoft named one of the flavors "Microsoft Windows Vista Ultimate".

Compiler is Irrelevant by brunes69 · 2006-12-18 08:28 · Score: 3, Informative

It's pretty trivial to just deduce what kernel the machine is running and build working binaries wherever you want. In fact it would be preferred, since a sysadmin is far more likely to notice a rogue gcc process sucking up CPU than a file transfer while the rootkit is being loaded.

Anyway - if the person has root on the box (which they need to install the rootkit anyway), then they can just ship up THEIR OWN COMPILER if they want to regardless.

Re:Compiler is Irrelevant by Creepy+Crawler · 2006-12-18 08:33 · Score: 0

Then I fail to understand: If you run a static kernel with NSA in, no compiler, no discernable way to tell the arch/version, and root removed (via NSA sec), how can you rootkit a machine? Hell, even BSD has apphend-only files for purposes of logfiles.
--
- Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
Re:Compiler is Irrelevant by novus+ordo · 2006-12-18 09:17 · Score: 1

This is a good place to start. There are more ways to break into a house than there are doors.

--
"You're everywhere. You're omnivorous."
Re:Compiler is Irrelevant by profplump · 2006-12-18 09:26 · Score: 4, Insightful

First, let me introduce you to the file command, which can tell me all about your arch. Or failing that, less, or any other program than can read any binary on your system. Your binary executables necessarily include information about their format, including their architecture.
spaceheater ~ 0$ file /bin/bash
/bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), not stripped

Second, why are you worried about compilers and version numbers if you're so sure people can't load modules anyway? What exactly are you trying to protect? There's something to be said for a minimalistic system, but you've yet to explain how having a compiler installed poses any sort of realistic security threat.
Finally, what's to keep someone from simply replacing your entire hand-complied, monolithic kernel? Even if you disable all the ways to do this without rebooting -- kexec() and /proc/kcore, probably among others -- they could always reboot the machine. Sure, you'd notice the reboot, but would you be able to detect their change after the reboot?
I'd also like to mention that OS-enforced append-only files are a poor substitute to logging to a hardware-enforced WORM drive, particularly if we're talking about rootkits. You're still fundamentally relaying on the OS to provide protection, which isn't reasonable when a rootkit has been installed.
Re:Compiler is Irrelevant by Hymer · 2006-12-18 09:33 · Score: 0

"Anyway - if the person has root on the box (which they need to install the rootkit anyway)..." afaik a rootkit is needed to get root... if you got root you don't need a rootkit, you are the almighty beeing on the box...
Re:Compiler is Irrelevant by Al+Dimond · 2006-12-18 10:43 · Score: 1

A rootkit isn't what you use to get root. It's what you use to keep root once you've got it. Typically a major component of keeping root is making sure that the people that don't want you to have root don't know you have it.
Re:Compiler is Irrelevant by hitchhacker · 2006-12-18 16:50 · Score: 1

Finally, what's to keep someone from simply replacing your entire hand-complied, monolithic kernel?

This reminds me of a certain rootkit that would copy its own kernel into your swap partition. On reboot the new kernel knows not to use that portion of the swap partition that is now currently occupied by the kernel.

How the hell are you supposed to detect this afterwords?! Oh yea, it would have to modify your boot configuration.. which is detectable.
Still neat though.

-metric
Re:Compiler is Irrelevant by Anonymous Coward · 2006-12-18 19:38 · Score: 0

> There's something to be said for a minimalistic system,
> but you've yet to explain how having a compiler installed
> poses any sort of realistic security threat.

Actually I've seen a lot of hosts compromised after ptrace etc. was compiled on the system, executed and root gained. A simple chmod 000 for gcc and it's brothers and sisters did wonders (assuming the rest of the system was up-to-date). So yes, it's a small thing but quite effective at least against script kiddies.
Re:Compiler is Irrelevant by Anonymous Coward · 2006-12-19 02:15 · Score: 0

You are totally right if you're defending against a good cracker.
If you're against a script kiddie that's trying to get the last
script before you patched the latest hole, then you're not. Any
trivial change will trip up the exploit.
Defense in depth coupled with low hanging fruit.

Why not just detect changed files? by banerjek · 2006-12-18 08:34 · Score: 0

If you have scripts to watch important files, it's easy to detect changes. The scripts do not need to live on the same machine or even be visible from there.

We use this braindead method to monitor our UNIX and Windows systems. It's easy enough to make sure that the detection scripts themselves aren't tampered with.

Re:Why not just detect changed files? by From+A+Far+Away+Land · 2006-12-18 10:01 · Score: 1

Isn't the point of a rootkit is to take over the file system to such an extent that virus activity is hidden from programs like scripts running on the kernel.

--
Oh You POS
Re:Why not just detect changed files? by banerjek · 2006-12-18 10:37 · Score: 0

Isn't the point of a rootkit is to take over the file system to such an extent that virus activity is hidden from programs like scripts running on the kernel

Absolutely. The alarms either need to be tripped off before too much damage is done. Having programs regularly investigate the integrity of files, who's doing what from where, etc makes it pretty hard to pull anything off without getting discovered. Obviously, this strategy is more difficult to employ if a large number of people could be doing a wide variety of tasks at a given time. However, security is much better when measures are based on what is normal for a system than it is by simply following best practices.
Part of security includes constantly verifying that the security measures themselves haven't been tampered with.
Worst case scenario is a compromise. That's what backups are for. All you have to do is know where you went wrong and history doesn't need to repeat itself. Hasn't happened to me yet [knock, knock]
Re:Why not just detect changed files? by TheGavster · 2006-12-18 13:58 · Score: 1

What is the point of a script that asks a compromised operating system about the files that compose it? One of the first things that a rootkit should do when it modifies the environment is ensure that whenever system files are queried, the response is the 'correct' one.

--
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
Re:Why not just detect changed files? by banerjek · 2006-12-18 17:17 · Score: 1, Insightful

There is always a way to break in. But many crude security methods are reasonably effective.

A rootkit has to be pretty good to return the "correct" response. It needs to retain all previous file attributes, modify md5sum to return the correct hash, fake disk usage statistics, and do it all without causing any glitches on the system.

It is impossible to modify the environment without leaving some sort of trace. A rootkit needs to succeed before it can mask itself. The problem a rootkit faces is it cannot know the particulars of a machine in advance so it will not necessarily plan to most efficient attack. All it has to do is trip one alarm and it will be discovered. If programs scan sufficiently frequently, you can discover things quickly.

Logs on other systems cannot be erased -- only new entries can be screwed up (which is itself a clue). Communications with other machines can give clues. Manual monitoring is also very useful. The trick is to use a wide variety of tools to maintain security. While any one of them can be broken, it's hard to get them all.

Yes, but... by Darlantan · 2006-12-18 08:36 · Score: 5, Funny

You have your l33t ninja with his army of zombie Windows boxes... ...but how do they stack up to the *nix pirates, and their FTPs on the seven seas of the intarwebs? It's the classic clashes, modernized. Who has the REAL Ultimate Power?

--
Fill in your four or five-letter word of wisdom here _ _ _ _ _.

Re:Yes, but... by oldhack · 2006-12-18 12:49 · Score: 1

It all comes down to the tube qualities. Can't bypass the laws of tubic physics.

--
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Re:Yes, but... by Shadow-isoHunt · 2006-12-18 13:27 · Score: 1

Mr. Rogers.

--
www.isoHunt.com

Read Only Drives by DigitalRaptor · 2006-12-18 08:38 · Score: 5, Interesting

I run Gentoo Linux servers for hosting email and websites, and have wanted a way to really secure the boxes.

Many hard drives have jumpers that make them read only.

I thought it would be great to have all of the rarely changed portions of the operating system on a separate drive set to read only.

The only time you would move the jumper to read-write would be when you were installing updates.

Things like: /tmp /var/log
etc

Would have to always be on a read-write drive.

But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc.

What do you think? Feasible or impractical?

--
Lose Weight and Feel Great with Isagenix

Re:Read Only Drives by stoolpigeon · 2006-12-18 08:41 · Score: 1

can you flip them on the fly? if not, is the down time worth it?

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Re:Read Only Drives by WaXHeLL · 2006-12-18 08:47 · Score: 1

Why would you want to flip it on the fly? I thought the parent thread's point was to get the OS setup and secured, and then hardware jumper it to read only.

All the relevant data and /var/tmp are placed on another *physical* drive.

--
The troll with karma.
Re:Read Only Drives by Darlantan · 2006-12-18 08:50 · Score: 2, Informative

You'd want to be able to flip it on the fly for OS updates. Otherwise, you're looking at pretty routine downtime -- which may or may not be an issue for you.

--
Fill in your four or five-letter word of wisdom here _ _ _ _ _.
Re:Read Only Drives by Ashtead · 2006-12-18 08:51 · Score: 1

I've seen CD-based distros that have / as read-only. That certainly is possible, and the Picotux 100 computers are also set up like that on delivery: a read-only / and a read-write /usr filesystem.
You probably want to make at least /tmp, /var, /home, /mnt, the swap space, and parts of /usr read-write. I am quite certain that this is possible.

--
SIGBUS @ NO-07.308
Re:Read Only Drives by DigitalRaptor · 2006-12-18 08:52 · Score: 1

Good question. I was always under the impression you could, though it would probably vary by vendor.

I was going to build a device that allowed me to switch between read-only and read-write remotely over TCP/IP or dial in (for servers in a data center).

This was 4 or 5 years ago and I was using Red Hat and security wasn't nearly as good (in any distribution).

I sleep better at night using hardened Gentoo, but if the read-only method were feasible I'd build it into my next server for sure and sleep even better.

--
Lose Weight and Feel Great with Isagenix
Re:Read Only Drives by turbidostato · 2006-12-18 08:53 · Score: 1

"Why would you want to flip it on the fly? I thought the parent thread's point was to get the OS setup and secured, and then hardware jumper it to read only"

Yeah, that's quite easy on a publicly exposed machine where almost weekly some security-concerning bug is found... specially talking about Gentoo as the OS of choice!
Re:Read Only Drives by Anonymous Coward · 2006-12-18 08:53 · Score: 0

Right, but now if you want to install a program or security update you have to power off, change jumper, power on, install, power off, reset jumper, power back on. This may or may not be worth it, particularily in the case of a security update.
Re:Read Only Drives by computational+super · 2006-12-18 08:56 · Score: 2, Funny

Yeah, there's a program you can run to flip them whenever you need to. I had to install it SUID root though.

--
Proud neuron in the Slashdot hivemind since 2002.
Re:Read Only Drives by chill · 2006-12-18 08:56 · Score: 4, Informative

Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.

If you have more than one machine, get a dedicated syslog server and send the logs from the other machines over to it. This way logs aren't on the main machines and it is much harder to compromise the audit trail.

For businesses, get something like a Trigeo appliance and keep an eye on the behavior of everything.

Make sure all your permissions/rules are based off the concept of "default deny, explicit allow".

You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!

Charles

--
Learning HOW to think is more important than learning WHAT to think.
Re:Read Only Drives by WaXHeLL · 2006-12-18 09:00 · Score: 1

Well, with a secure operating sytem like OpenBSD, patches aren't released very often.
But then, the parent was talking about Gentoo.

--
The troll with karma.
Re:Read Only Drives by throx · 2006-12-18 09:06 · Score: 1

But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc. Ineffective and simply feel-good security.

If someone has root on your box (which is needed to install a rootkit) then they can just copy the read-only system to the writeable disk and mount it r/w. Now, given that they *already* know how to get root on the box then rebooting will clear whatever changes they made, but also put your system back into the configuration that they've demonstrated they can get root on anyway. You're dead in the water.

Lesson: If someone has root privileges (or equivalent, ie they can load arbitrary code into the kernel) on a machine then they own that machine. Doesn't matter what kernel hackery, obfuscated kernel modules, clever mountpoint strategies or anything else you come up with, they can undo it.

--

Fear: When you see B8 00 4C CD 21 and know what it means
Re:Read Only Drives by DigitalRaptor · 2006-12-18 09:19 · Score: 1

You're assuming that /etc/fstab is on the read-write disk. If it's on the read-only disk, they've accomplished nothing and your system is clean after a reboot.

Other things may be compromised, but your core OS would not be. And if other things are compromised, those things are more likely to be backed up and resurface after you restore the server.

--
Lose Weight and Feel Great with Isagenix
Re:Read Only Drives by DigitalRaptor · 2006-12-18 09:21 · Score: 1

Mounting the partition read only is easily overcome as soon as they have root. Change /etc/fstab, unmount, and remount and the partition is now read-write.

A dedicated syslog server is always a good idea if it fits the budget.

--
Lose Weight and Feel Great with Isagenix
Re:Read Only Drives by throx · 2006-12-18 09:35 · Score: 2, Insightful

I'm not assuming anything is on a read-write disk. If the attacker is able to load arbitrary code into the kernel then it doesn't matter where /etc/fstab is - they can just rewrite the kernel at runtime to mount a disk without worrying about /etc/fstab.

Yes - your machine will be "clean" after a reboot, but because you've made it read only it will be vulnerable to whatever attack gave them root in the first place.

Any system - read/write or read only root drive can be reset to a known configuration with little effort (it's usually called "restoring from a backup"), but the point of the rootkit is to give you no reason to do this. Your system looks like it's running just fine and your security theater of making the root drive read-only is giving you a warm fuzzy feeling about how safe you are, but in reality an attacker owns your box and you have no idea.

The answer is to spend less time thinking about what if an attacker gets root and more time preventing them. Once they have root it's pretty simple: nothing is trustworthy on the box any more because you have hard empirical evidence that it's weak to an attack.

--

Fear: When you see B8 00 4C CD 21 and know what it means
Re:Read Only Drives by djh101010 · 2006-12-18 09:35 · Score: 4, Interesting

Right, but now if you want to install a program or security update you have to power off, change jumper, power on, install, power off, reset jumper, power back on. This may or may not be worth it, particularily in the case of a security update.

Amazingly enough, I can draw on 25 year old experience on this one, sort of. Back in the early 1980s, I ran a BBS on a dialup TRS-80. The floppy drives, I put toggle switches on the front of so the read-only setting could be changed on the fly. So worst case, it'd be something you might be able to put an external switch for that jumper, outside the drive case. Maybe. Might blow up but at the time it worked great.
Re:Read Only Drives by DigitalRaptor · 2006-12-18 09:48 · Score: 1

Regardless of the exploit used to gain root, how many of todays rootkits do you think don't require being able to write to some of the files that would be on the read-only drive.

Nothing will prevent all rootkits.

But having files (like /bin/login, a common one changed by rootkits) on a read-only drive may prevent many of the existing rootkits from doing damage or working at all.

If everyone were doing this and it were built into the distributions, then yes, rootkits would be written around this strategy. But if only a small percentage of people are doing this, most rootkits wouldn't be "compatible", for lack of a better word.

--
Lose Weight and Feel Great with Isagenix
Re:Read Only Drives by noahm · 2006-12-18 09:51 · Score: 4, Insightful

Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.
# mount -o remount,rw /readonly/partition
So that won't help you...
You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!
That won't help either: http://doc.bughunter.net/rootkit-backdoor/kmem-pat ching.html Most modern kernel-level rootkits do not depend on the ability to dynamically load modules.
noah
Re:Read Only Drives by sylvandb · 2006-12-18 09:52 · Score: 1

Mounting the partition read only is easily overcome as soon as they have root. Change /etc/fstab, unmount, and remount and the partition is now read-write.

Or maybe by "mount -o remount,rw {partition}" ?

A dedicated syslog server is always a good idea if it fits the budget.

Sure, anything to get the logs off the compromised system is a good idea. Even piping them out to an attached printer, or an RS232 data logger, or WORM drive, or another server, or a workstation, or...

sdb
Re:Read Only Drives by FlyingGuy · 2006-12-18 09:57 · Score: 2, Interesting

This is where about $5.00 worth of parts and a soldering iron will help you out.

Most all chassis have at least ONE empty slot. Buy a simple miniature SPST toggle switch and some thin wire. Take a jumper and split it electricaly, then solder a wire to each jumper socket. Solder each end of the two wires to the pins on the toggle switch. Drill an approprate hole in the slot dust cover and mount the switch, or just feed the wires out and mount the switch on something close to the box. You now have on the fly flipping from r/w to r/o, provided the SCSI or SATA or SAS or whatever drive interface you are using doesn't freak out when its flipped.

Not only is this simple but its also hacker proof unless they have physical access to your server, and even then they have to know what that little toggle switch does!

--
Hey KID! Yeah you, get the fuck off my lawn!
Re:Read Only Drives by throx · 2006-12-18 10:18 · Score: 1

Nothing will prevent all rootkits.

Well - one thing will. Not allowing the attacker to get root in the first place.

This is what I'm trying to reinforce. There is no point in considering defenses against an attacker who has root. At that point, you are being grossly negligent if you do anything but forensic analysis and removing the machine from a public network until such time as you can do something to prevent future incursions of the type that went through. Inventing clever tricks to stop root from hacking your machine is in the realms of the tooth fairy, and DRM/copy prevention companies. It's simply a level of obfuscation in place after your real security failed, not a true measure of security.

Now, on the plus side of a read-only root disk, it does tend to permit a faster restore to a "known" configuration in the event of a successful root attack. You still have to pull the machine from the network and plug the hole, but the downtime may be a lot faster assuming you have physical access to the box.

--

Fear: When you see B8 00 4C CD 21 and know what it means
Re:Read Only Drives by chill · 2006-12-18 10:29 · Score: 1

All of it helps, because it leaves nice big footprints in your logs. Monitor them in real time.

To help prevent them from getting root, use patches like grsecurity which add address randomization and specifically deals with /dev/kmem direct patching.

If someone has root on your server, you've already lost. You need to go into "containment" and "cleanup" mode.

--
Learning HOW to think is more important than learning WHAT to think.
Re:Read Only Drives by dfn_deux · 2006-12-18 12:13 · Score: 1

It would be insanely trivial for someone with an EE background to make a jumper emulator which is operated via parallel port that could switch the drive (or any other jumper for that matter), the issue is whether or not the drive's firmware honers the jumper setting at anytime or if it is a "check once" type of setting. I suspect that the firmware only cares about the jumper setting when the disk is first spun up, but I could be wrong.

--
-*The above statement is printed entirely on recycled electrons*-
Re:Read Only Drives by jamesh · 2006-12-18 12:42 · Score: 1

Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.

Any rootkit that can get root could easily remount it rw.

You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!

This sounds like a good idea, but is it possible to build everything in these days? Last time I checked I think there were some things that could only be built as modules...
Re:Read Only Drives by mlock · 2006-12-18 19:00 · Score: 1

How often do you reboot? Once a year? Than a rootkit will be active for half a year on average - because even if it doesn't get to disk, you'll have it in RAM.

You'd need read-only RAM - and this is what the OS is supposed to provide (process separation).
If it fails, you've lost.

And furthermore there are some things on startup that write temporary data to /tmp - possibly in a fixed path.
So you create this file, make it unchangeable (eg. ext2/3 attribute, or simply 0555), and write malicious data there - maybe it'll still be active after reboot.
To get that working it's better to have *only* read-only disks, and do the rest with shmfs or similar - but then you'll get no logfiles.
Re:Read Only Drives by arose · 2006-12-18 20:21 · Score: 1

[..] even then they have to know what that little toggle switch does!
Magic?

--
Analogies don't equal equalities, they are merely somewhat analogous.
Re:Read Only Drives by hesaigo999ca · 2006-12-19 02:04 · Score: 1

I had a friend that was the ultimate guru when he was teaching me about linux. He showed me that when partitioning certain things he made a special partitioned that contained system stuff, and then went on to burn that partition on a cd-rom which he would then boot from and could never be overwritten. Sort of a nice way of making sure that the files are the sames ones you started out with, this was 8 years ago before the craze of knoppix boot cds. Now you can boot your whole system if you have a dvd drive installed, and boots dvds 4.7gb. is almost enough for everything!! : )

I like to leave this up to the FBI by Timesprout · 2006-12-18 08:39 · Score: 4, Funny

When the dark suits turn up on my doorstep with an arrest warrant on charges of attempting to crack confidential government sites I can be pretty sure my machine has been rooted.

--
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe

Re:I like to leave this up to the FBI by computational+super · 2006-12-18 09:01 · Score: 1

I always root my own boxes so that I can use that as an excuse if I ever get caught.

--
Proud neuron in the Slashdot hivemind since 2002.
Re:I like to leave this up to the FBI by lysdexia · 2006-12-18 09:17 · Score: 0

I just run an irc bot that pipes commands to my root shell.

Nobody can blame me for *NOTHING* man.

Is rooting Linux by wumpus188 · 2006-12-18 08:42 · Score: 1

... just .. un-cool?

Tinfoil Hat Time... by grub · 2006-12-18 08:43 · Score: 1

A well done rootkit is hard to detect... if you can't find a rootkit on your system then it's probably too late.

Go here now.

--
Trolling is a art,

Re:Tinfoil Hat Time... by Anonymous Coward · 2006-12-18 13:38 · Score: 0

A well done rootkit is hard to detect... if you can't find a rootkit on your system then it's probably too late.
None of my hardware (all new) seems to work with Linux. Is it possible I have a rootkit?
Re:Tinfoil Hat Time... by tehcyder · 2006-12-19 01:56 · Score: 1

A well done rootkit is hard to detect... if you can't find a rootkit on your system then it's probably too late.
So do you think if I can't find a rootkit on my system I should install one, so that I can find it next time and not worry that because rootkits are hard to detect the fact that I can't find a rootkit on my system means it's probably too late?

--
To have a right to do a thing is not at all the same as to be right in doing it
Re:Tinfoil Hat Time... by Anonymous Coward · 2006-12-19 08:09 · Score: 0

if you can't find a rootkit on your system then it's probably too late

I've searched and searched and searched but can't find any root kit - is it too late? Have I been rooted?

linuix rootkits? by pulse2600 · 2006-12-18 09:02 · Score: 0, Troll

That's easy. Are you running VMWare with a Windows virtual install on this Linux box? Delete that virtual machine. Rootkit eliminated.

Re:linuix rootkits? by Anonymous Coward · 2006-12-18 11:11 · Score: 0

Rootkits are only for Windows? Where exactly do you think "root" in "rootkit" comes from anyway, sherlock?
Re:linuix rootkits? by extern_void · 2006-12-19 03:47 · Score: 1

Yes, well done. Is this the Windows way to face problems? Re-installing it?
What if you get sick? Re-born?

trojan the detector by tkw954 · 2006-12-18 09:03 · Score: 2, Interesting

Wouldn't the first step for a rootkit developer be to add rkhunter and chkrootkit to their list of trojaned programs so that they give a "no rootkit" output? Maybe there's some protection from this, but I don't see it in the article.

I've always wondered... by sootman · 2006-12-18 09:03 · Score: 3, Interesting

How hard is it to build a basic but worthwhile rootkit detection tool with common tools? Like run `md5 /bin/*` and then ship the output of that to another machine every day for comparison to yesterday's output of that command? (Looking at other directories as well, of course.) My understanding is that many rootkits come with hacked versions of tools like 'ps' to hide themselves.

On the one hand, yeah, let's not reinvent the wheel, but on the other hand, there are advantages to building your own tools:
- you know exactly what they're doing--more complicated pre-existing tools might do more, but if you don't understand their output, they're no good.
- you don't have to trust*/audit someone else's code
- they don't do more than you need
- they don't have features that you don't know about or might misuse
- at the very least, it's a great way to learn

* yes, I know about this. but there are reasonable limits--I do trust that my distro came with a clean copy of gcc. OTOH, I'd rather write my own 20-line script that download someone else's that says it does the same thing as what I would write myself but that I'd have to audit for even the smallest things, like sneaking in an
if ($rooted="no")
instead of
if ($rooted=="no")

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.

Re:I've always wondered... by Anonymous Coward · 2006-12-18 09:25 · Score: 1, Interesting

Like run `md5 /bin/*` and then ship the output of that to another machine

Nothing wrong with that, but how do you know md5 hasn't been compromised? The only way to be sure is to boot into something else like a livecd and run md5 from there.
Re:I've always wondered... by Anonymous Coward · 2006-12-18 09:27 · Score: 0

How hard is it to build a basic but worthwhile rootkit detection tool with common tools?

You answered your own question. A proper rootkit will replace your legit tools (any and all of them) with non-legit tools. For example, it could replace the md5 command with some evil md5 command that will return the md5 of the legit version of a file when run on the compromised version of the same file, defeating the scheme you outlined.

The answer to your questions ranges from "easy" to "impossible" depending on your definition of "worthwhile." Approaches based on simple/common tools will can work against weak rootkits, but will fail against sophisticated ones. Theoretically, a rootkit is (by definition) undetectable by any and all efforts, so you might as well just give up now. :-)
Re:I've always wondered... by rjstanford · 2006-12-18 09:54 · Score: 1

If (and I've never been paranoid enough to worry about it, so it is an "if") you care this much, you have to worry that they'd give you a new version of md5 as well. Sticking a known good version somewhere else under a different name is probably more than enough security there, though.

Better yet, add a random amount of crap onto your key binaries so that they're non-standard, then get checksums with some theoretically known-good checksummer. Keep an eye on them automatically, and every now and then get the list by hand and compare it to the printout you made when you set up the machine.

If they are replaced, along with md5 (and/or the libraries it uses, etc), they'll probably be set to report the "standard" values which will immediately tell you you've been r00ted.

--
You're special forces then? That's great! I just love your olympics!
Re:I've always wondered... by sootman · 2006-12-18 10:04 · Score: 1

Wouldn't it be pretty trivial to
cp /mnt/cdrom/md5 /sbin/
each night before running the tool? Or, as someone else suggested, leave md5 on with another name? I'm sure most rootkits wouldn't notice if 'zsh' was actually a copy of 'md5.'

I'm not talking about a bulletproof tool for the NSA. I'm just interested in something basic that would do the trick for most people.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Re:I've always wondered... by noahm · 2006-12-18 10:23 · Score: 1

Wouldn't it be pretty trivial to
cp /mnt/cdrom/md5 /sbin/
each night before running the tool? Or, as someone else suggested, leave md5 on with another name? I'm sure most rootkits wouldn't notice if 'zsh' was actually a copy of 'md5.'
Yes, it would be trivial. Unfortunately, it wouldn't do you much good these days. Modern rootkits (on Windows, Linux, what have you), are kernel based. It doesn't matter how trusted your md5, ls, ps, and other binaries are if your kernel is not reporting accurate information.
See e.g. http://www.la-samhna.de/library/rootkits/index.htm l for example.
noah
Re:I've always wondered... by Anonymous Coward · 2006-12-18 10:40 · Score: 0

Theoretically, a rootkit is (by definition) undetectable by any and all efforts, so you might as well just give up now. :-)

Not true at all. A good rootkit is undetectable from the running system. It is detectable from outside the system. Boot from a livecd and scan with md5 or another hashing tool.
Re:I've always wondered... by Anonymous Coward · 2006-12-18 13:06 · Score: 0

Some replies to this parent are saying "but you can't trust your copy of md5sum", and this is true as far as it goes. But even if you run a known-good copy of md5sum, some rootkits can intercept attempts to read a file and return unsuspicious results to the reader, thus masking the file's true corrupted contents. E.g. rootkit sees md5sum trying to read /bin/passwd, and shows md5sum a stashed copy of the legitimate /bin/passwd, but when you run /bin/passwd you run the malicious version.
Thus it's more complicated than parent hopes. Of course, I have no idea if the rootkit checkers mentioned in the article are any better in this regard than the parent's proposed idea.
Re:I've always wondered... by Sancho · 2006-12-19 03:18 · Score: 1

Exactly. Good rootkits patch syscalls, not binary programs. This way, no matter what program does your directory listing, you'll never see the rootkit's hidden files. Only the rootkit's programs will have the key to making the syscalls work as normal.

Meh, I don't trust those tools by straponego · 2006-12-18 09:07 · Score: 4, Funny

I just eyeball /proc/kcore for anything suspicious every day or so.

Rootkits by Anonymous Coward · 2006-12-18 09:09 · Score: 0

I always look for rogue installations of VMWare running Win32 virtual machines, other than that I don't have much to worry about.

suid? by stoolpigeon · 2006-12-18 09:09 · Score: 1

is that like that software for making sandwiches?

i kid, i kid. i'm just an xkcd fanboy with too much time on his hands.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?

Re:suid? by Anonymous Coward · 2006-12-18 11:38 · Score: 0

It's not a software for making sandwitches, rather for making *me* sandwitches.
Huge difference, don't ya think ?

You keep using that word... by DCheesi · 2006-12-18 09:14 · Score: 1

"His passwd program has the same name as the real passwd program and works flawlessly in all respects except for the fact that it will also gather data residing on your machine such as the user details each time it is run and transmit it to a remote location or it will open a back door for outsiders by providing easy root access and all the time, you will be impervious about its actions."

...I don't think it means what you think it means.

http://www.answers.com/impervious&r=67

Re:You keep using that word... by lysdexia · 2006-12-18 09:22 · Score: 0

Incon*thp*evable!

It took about five episodes of "Dead Like Me" before my wife and I could stop makin' with the Inago lines every time Mandy came on the screen.

Re:Wait a sec... by Anonymous Coward · 2006-12-18 09:18 · Score: 0

If you get an admin to execute a trojan, it doesn't matter what OS you're running.

Re:Wait a sec... by Anonymous Coward · 2006-12-18 09:21 · Score: 0

Where exactly did you read that on /.?

Why do you think it has the name 'root' kit instead of 'Administrator' kit? Because it was done on Unix long before windows was around.

chkrootkit by joe+155 · 2006-12-18 09:22 · Score: 2, Informative

chkrootkit is good, I like it anyway, you can get it in Fedora Core 6 through yum (although you don't seem to be able to get rkhunter through yum any more). you have to run it as root, maybe its something about what it needs to access... anywho, you can get issues with false possitives, I just ran it and got;

Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
....
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.pack list

so I wouldn't worry too much if you see something that looks iffy before you check it out (I'd have been annoyed if I just reinstalled my OS just to find the same thing happening again). It will also show your ethnet port as being in "sniffer". Anywho, best practices can minimize the risk to pretty much 0... oh, but for God's sake PLEASE switch off remote root access on ssh over default ports, ideally switch it off altogether (If you need it please learn how to use it). Ssh coupled with an easily broken root password is the single biggest cause of rootkits... and a huge /var/log/secure!

--
*''I can't believe it's not a hyperlink.''

Re:chkrootkit by nuzak · 2006-12-18 09:36 · Score: 1

> Ssh coupled with an easily broken root password is the single biggest cause of rootkits

Which begs^H^H^H^Hdemands the question: why doesn't any distro install one of the many ssh brute-force prevention utilities out of the box? Some of them don't even need to look at logfiles, they're simply common-sense firewall rules.

--
Done with slashdot, done with nerds, getting a life.
Re:chkrootkit by Guido+von+Guido · 2006-12-18 09:40 · Score: 1

I use "AllowGroups blah" in sshd_config. This prevents any account which is not in the blah group from logging in via ssh. This keeps root out (although I turn root logon off anyway, or set it to use SSH keys only), as well as any system accounts. The disadvantage is that it's slightly more trouble to maintain.
Re:chkrootkit by extern_void · 2006-12-19 04:22 · Score: 1

hmmm interesting, i wrote some kernel level rootkit and chkrootkit wasn't (Wow!) able to discover it. Duh!
One of chkrootkit's way to find a rootkit is by signature, what
an old school way to figure it out. Outdated and frequently useless.

Bruce Schneier by BESTouff · 2006-12-18 09:30 · Score: 1

Bruce Schneier once wrote a kernel module just by cut'n'pasting 0s and 1s in an xterm.

More on http://geekz.co.uk/schneierfacts/

Re:trojan the detector by sfjoe · 2006-12-18 09:34 · Score: 3, Insightful

They can do that but, if you're like me, chkrootkit runs from a mounted CD-ROM. It's a little harder for them to trojan it that way.

--
It's simple: I demand prosecution for torture.

Bigger list by pseudorand · 2006-12-18 10:17 · Score: 1

If you want a bigger list of such tools, type ls /usr/portage/app-forensics/ on any gentoo machine.

Re:Read Only Drives = CDROM by flyingfsck · 2006-12-18 11:24 · Score: 1

Try Knoppix or any of it's derivatives.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!

This would have been more appropriate: by Anonymous Coward · 2006-12-18 11:27 · Score: 2, Insightful

52 65 61 6C 20 6D 65 6E 20 61 6E 64 20 72 65 61 6C 20 68 61 63 6B 65 72 73 20 77 72 69 74 65 20 74 68 65 69 72 20 70 72 6F 67 72 61 6D 73 20 69 6E 20 62 69 6E 61 72 79 20 63 6F 64 65 2C 20 6E 6F 74 20 69 6E 20 73 74 75 70 69 64 20 61 6E 64 20 62 6C 6F 61 74 65 64 20 61 73 73 65 6D 62 6C 65 72 2E

Re:This would have been more appropriate: by Linker3000 · 2006-12-18 13:17 · Score: 2, Funny

Hey, AC, There's a guy on the phone for you - says he's from SCO and he'd like a quick word.

--
AT&ROFLMAO

Linux rootkits by FreeBSD+evangelist · 2006-12-18 13:46 · Score: 1

I can't help but point out on FreeBSD you can use CVSup to force your sources to match the master site, and then "cd /usr/src ; make world". Around an hour later (depending on your machine) you will have completely new binaries for the kernel, kernel modules, binaries, docs, etc.

Bye bye rootkits, viruses, back doors and the like.

Re:Linux rootkits by The_Cheese_Stands_Al · 2006-12-18 14:23 · Score: 1

If someone has compromised root, all of your utilities are not what they seem. The install, cp, etc. are not the same. Make is not the same. A 'make world' will not fix this. The utilities will not replace themselves. A rootkit could even run at kernel level and simply update what fake file it has to show to monitoring software. Please read other comments before repeating what has been said (erroneously) several times already.
Re:Linux rootkits by FreeBSD+evangelist · 2006-12-18 14:43 · Score: 1

You missed the part about syncing your source tree to the master, before rebuilding the world. Please read an entire posting before replying to it.
Re:Linux rootkits by The_Cheese_Stands_Al · 2006-12-18 18:03 · Score: 1

If your system is compromised, nothing is trustable. Not the kernel, not the sync utilities (which on a FreeBSD system would be the first thing to alter), not anything. I did not miss the part about syncing to master. If there's a rootkit it will either make sure your sync still has its changes, or it will simply not install files silently. It could also modify your compiler to produce backdoors in your executables (For more on this one in particular, look at this http://www.acm.org/classics/sep95/Turing Award Lecture by Ken Thompson, one of the original people involved with Unix. This has been done before, and can be done again.

I repeat--If your system has been compromised, you can only rely on things that are non-modifyable by the system (I.E. BIOS ROM, unconnected disks). Your filesystem driver cannot be trusted. Expect it to lie whenever it needs to. Assume that the rootkit will not do anything that will help you find it. Syncing your source tree depends on way too many things that would be compromised to rely on (filesystem, network driver, sync utilities, libc, etc). The same goes for any other software update of any kind (excluding livecds -- assuming said rootkit didn't change your BIOS).
Re:Linux rootkits by Anonymous Coward · 2006-12-19 05:05 · Score: 0

Please forgive the fanboy's insistence. His opinions are biased as he loves FreeBSD way too much.

The tables have turned, Mr. Bond... by RealGrouchy · 2006-12-18 15:57 · Score: 2, Funny

Joke's on you, Linux boys (and girls?)!

I don't have to worry about this. I use Windows!

Oh wait...

- RG>

--
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!

Besides the point! by TrueKonrads · 2006-12-18 23:46 · Score: 2, Informative

Kind of bypasses the point of detection, in a way.

One cane safely ass-u-me that if the storage is disconnected, then , if You look very very close, then You could detect a rootkit. Though IF,

If the kit is in-mem only and subverts no system binaries and stores its support files somewhere under /home/maryjanesmith/ or somewhere on /var/www, in other words - locations with thouesand of changing files (TripWire won't work even with SHA1 or other non md5 sums)
Uses an unpatched hole or security lapse to activate itself (say, attacker checks if the rootkit is there, by sending some fancy ping and expecting a fancy pong, e.g.)

Then even an offline inspection can be bypassed.

Besides, I'm sure a lot of businesses will take the risk of running potentially compromised server, than incur downtime.

Now, the Challenge is: What to do, to lock down system so that it is possible to verify the kernel and some userspace against a known good state and the system always gives veritable results? I think that SELinux already does a lot of that - limits root's access. You can setup its policy so, that it will only allow executing binaries and load modules from from read-only partition. The point, is to lock down the box to such state, where only physical access allows security sensitive part modification. I know this is inconvenient,but if some Good Practices [tm] are followed, then a machine once-setup can run with config unchanged for a Year or so. Have some sort of Patch Tuesday or rely on trusted and secured binaries that allow package updated only if their strong crypto signatures validate.

On an end note, securing and maintaining a system like this with existing tools (that I am aware of) is timeconsuming and hence - expensive. So, the cost-benefit ratio might be nearing the "Let's just re-roll the system on suspected cracks" scenraio. For SMB at least.

--
Lone Gunmen crew.

I was rooted by ftp once by trigggl · 2006-12-19 00:01 · Score: 2, Interesting

That was a couple of days after openning a port in my router for ftp. I thought it was cool to be able to transfer files to and from work. I set it up so that only users could sign in and the user would be locked into their home folder. I saw a couple of attempts to get in in the log. I was watching the monitor of my internet traffic when someone got in and instantly data was going both ways. That's when I turned the DSL router off, closed all ports on the router behind it and disabled ftp on the box. I won't be openning up ports again. When I turned the DSL router back on, I made sure that it got a new address. I need to learn a lot more before I try to run a server again. I also changed the permissions on the other partitions because they had different UID's making them available to the distro I'm currently running. Bad habits will bite you. If you leave a port open, you will get rooted.

--
Ops, I shuld have usd the prevuwe but in.

Use the hash, Luke! by FellowConspirator · 2006-12-19 03:21 · Score: 1

The best way to detect a rootkit: post-install, hash the installed file-system files and kernel and save the results on a CD-R. Periodically, check to see if the hashes have changed. If so, you know where the problem lies.

What's a 'word'? by Anonymous Coward · 2006-12-19 03:56 · Score: 0

Hey, AC, There's a guy on the phone for you - says he's from SCO and he'd like a quick word.

49 74 20 73 68 6F 75 6C 64 20 62 65 20 6F 62 76 69 6F 75 73 20 74 68 61 74 20 49 20 63 61 6E 6E 6F 74 20 70 72 6F 76 69 64 65 20 77 6F 72 64 73 2C 10 74 68 65 79 20 61 72 65 20 74 6F 6F 20 62 69 67 2E 20 20 46 69 74 74 69 6E 67 20 74 68 61 74 20 53 43 4F 20 77 6F 75 6C 64 20 61 74 74 65 6D 70 74 20 61 20 63 61 6C 6C 20 72 65 6C 79 69 6E 67 20 6F 6E 20 69 6E 63 6F 6D 70 61 74 69 62 6C 65 20 64 61 74 61 20 74 79 70 65 73 2E

Root a webserver, capture ALL user data at once by Reziac · 2006-12-19 06:18 · Score: 1

What about the fact that around half the internet runs on *NIX boxes of one stripe or another? Root one of those, and capture ALL the user data (IDs, passwords, credit card numbers, whatever) that passes through it. Much more efficient than relying on a random army of Windows Zombies.

--
~REZ~ #43301. Who'd fake being me anyway?

Slashdot Mirror

Detecting Rootkits In GNU/Linux

142 comments