Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting Rootkits In GNU/Linux

Posted by kdawson on from the watching-your-back dept.

An anonymous reader sends note of a blog post on rootkit detection in GNU/Linux. The article mentions only two utilities for ferreting out rootkits — the first comment to the blog post lists three additional ones — but it could be useful for those who haven't thought about the problem much. From the article: "A rootkit... is a collection of tools that a cracker installs on a victim's computer after gaining initial access. It generally consists of log cleaning scripts and trojaned replacements of core system utilities such as ps, top, ifconfig and so on."

10 of 142 comments (clear)

  1. Re:This is... by psycho8me · · Score: 5, Interesting

    That may have been true 30 years ago when a compiler license cost thousands. If a person has write access to your system, they can just copy a compiler binary over.

  2. Read Only Drives by DigitalRaptor · · Score: 5, Interesting

    I run Gentoo Linux servers for hosting email and websites, and have wanted a way to really secure the boxes.

    Many hard drives have jumpers that make them read only.

    I thought it would be great to have all of the rarely changed portions of the operating system on a separate drive set to read only.

    The only time you would move the jumper to read-write would be when you were installing updates.

    Things like: /tmp /var/log
    etc

    Would have to always be on a read-write drive.

    But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc.

    What do you think? Feasible or impractical?

    --
    Lose Weight and Feel Great with Isagenix
    1. Re:Read Only Drives by djh101010 · · Score: 4, Interesting

      Right, but now if you want to install a program or security update you have to power off, change jumper, power on, install, power off, reset jumper, power back on. This may or may not be worth it, particularily in the case of a security update.

      Amazingly enough, I can draw on 25 year old experience on this one, sort of. Back in the early 1980s, I ran a BBS on a dialup TRS-80. The floppy drives, I put toggle switches on the front of so the read-only setting could be changed on the fly. So worst case, it'd be something you might be able to put an external switch for that jumper, outside the drive case. Maybe. Might blow up but at the time it worked great.

    2. Re:Read Only Drives by FlyingGuy · · Score: 2, Interesting

      This is where about $5.00 worth of parts and a soldering iron will help you out.

      Most all chassis have at least ONE empty slot. Buy a simple miniature SPST toggle switch and some thin wire. Take a jumper and split it electricaly, then solder a wire to each jumper socket. Solder each end of the two wires to the pins on the toggle switch. Drill an approprate hole in the slot dust cover and mount the switch, or just feed the wires out and mount the switch on something close to the box. You now have on the fly flipping from r/w to r/o, provided the SCSI or SATA or SAS or whatever drive interface you are using doesn't freak out when its flipped.

      Not only is this simple but its also hacker proof unless they have physical access to your server, and even then they have to know what that little toggle switch does!

      --
      Hey KID! Yeah you, get the fuck off my lawn!
  3. Re:This is... by Anonymous Coward · · Score: 1, Interesting

    "I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!"

    Not on my internet-facing servers. No compilers and hand-compiled monolithic kernel.

  4. Re:This is... by seifried · · Score: 4, Interesting

    Does root have access to /proc/kcore? If yes then an attacker with root access can modify the kernel in memory as needed. Heck there's even projects to bring this into the mainstream for carrier grade Linux (no need for those pesky reboots after a kernel upgrade): http://pannus.sourceforge.net/

  5. trojan the detector by tkw954 · · Score: 2, Interesting

    Wouldn't the first step for a rootkit developer be to add rkhunter and chkrootkit to their list of trojaned programs so that they give a "no rootkit" output? Maybe there's some protection from this, but I don't see it in the article.

  6. I've always wondered... by sootman · · Score: 3, Interesting

    How hard is it to build a basic but worthwhile rootkit detection tool with common tools? Like run `md5 /bin/*` and then ship the output of that to another machine every day for comparison to yesterday's output of that command? (Looking at other directories as well, of course.) My understanding is that many rootkits come with hacked versions of tools like 'ps' to hide themselves.

    On the one hand, yeah, let's not reinvent the wheel, but on the other hand, there are advantages to building your own tools:
    - you know exactly what they're doing--more complicated pre-existing tools might do more, but if you don't understand their output, they're no good.
    - you don't have to trust*/audit someone else's code
    - they don't do more than you need
    - they don't have features that you don't know about or might misuse
    - at the very least, it's a great way to learn

    * yes, I know about this. but there are reasonable limits--I do trust that my distro came with a clean copy of gcc. OTOH, I'd rather write my own 20-line script that download someone else's that says it does the same thing as what I would write myself but that I'd have to audit for even the smallest things, like sneaking in an
    if ($rooted="no")
    instead of
    if ($rooted=="no")

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:I've always wondered... by Anonymous Coward · · Score: 1, Interesting

      Like run `md5 /bin/*` and then ship the output of that to another machine

      Nothing wrong with that, but how do you know md5 hasn't been compromised? The only way to be sure is to boot into something else like a livecd and run md5 from there.

  7. I was rooted by ftp once by trigggl · · Score: 2, Interesting

    That was a couple of days after openning a port in my router for ftp. I thought it was cool to be able to transfer files to and from work. I set it up so that only users could sign in and the user would be locked into their home folder. I saw a couple of attempts to get in in the log. I was watching the monitor of my internet traffic when someone got in and instantly data was going both ways. That's when I turned the DSL router off, closed all ports on the router behind it and disabled ftp on the box. I won't be openning up ports again. When I turned the DSL router back on, I made sure that it got a new address. I need to learn a lot more before I try to run a server again. I also changed the permissions on the other partitions because they had different UID's making them available to the distro I'm currently running. Bad habits will bite you. If you leave a port open, you will get rooted.

    --
    Ops, I shuld have usd the prevuwe but in.