Detecting Rootkits In GNU/Linux

An anonymous reader sends note of a blog post on rootkit detection in GNU/Linux. The article mentions only two utilities for ferreting out rootkits — the first comment to the blog post lists three additional ones — but it could be useful for those who haven't thought about the problem much. From the article: "A rootkit... is a collection of tools that a cracker installs on a victim's computer after gaining initial access. It generally consists of log cleaning scripts and trojaned replacements of core system utilities such as ps, top, ifconfig and so on."

Re:This is...

[Rosco+P.+Coltrane]

It's rather difficult to load kernel obfuscation modules (like hiding processes and files) without header files and no compiler.

I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!

Re:ifl

[Moby+Cock]

Most modern rootkits are kernel level and Trip Wire can not readily detect them. Nevertheless it is still useful to have at hand.

Re:Read Only Drives

[chill]

Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.

If you have more than one machine, get a dedicated syslog server and send the logs from the other machines over to it. This way logs aren't on the main machines and it is much harder to compromise the audit trail.

For businesses, get something like a Trigeo appliance and keep an eye on the behavior of everything.

Make sure all your permissions/rules are based off the concept of "default deny, explicit allow".

You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!

  Charles