Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting Rootkits In GNU/Linux

Posted by kdawson on from the watching-your-back dept.

An anonymous reader sends note of a blog post on rootkit detection in GNU/Linux. The article mentions only two utilities for ferreting out rootkits — the first comment to the blog post lists three additional ones — but it could be useful for those who haven't thought about the problem much. From the article: "A rootkit... is a collection of tools that a cracker installs on a victim's computer after gaining initial access. It generally consists of log cleaning scripts and trojaned replacements of core system utilities such as ps, top, ifconfig and so on."

22 of 142 comments (clear)

  1. ifl by stoolpigeon · · Score: 3, Informative

    I think that there is room to mention the well known tools such as AIDA and TripWire and LogCheck.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    1. Re:ifl by Moby+Cock · · Score: 4, Informative

      Most modern rootkits are kernel level and Trip Wire can not readily detect them. Nevertheless it is still useful to have at hand.

    2. Re:ifl by stoolpigeon · · Score: 4, Funny

      i have no idea. i've never used any of them. this is a joke gone completely wrong. i just copied and pasted the comment from over at tfa. hence my subject: ifl (it's funny laugh). i figured it'd end up troll, over-rated, but i got such a laugh out of doing it (sorry i'm easily amused) that i figured it was worth it. in what is a horrid twist of fate, i now feel bad for getting modded up.

      --
      It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    3. Re:ifl by computational+super · · Score: 3, Insightful

      You know, one of the things I'd like to do if I had more time and knew how to do it would be to create a bootable "system scan" disk. A rootkit could hide itself from tripwire et al, but it couldn't hide from a bootable CD. I guess you can sort of achieve the same effect with Knoppix with a bit of work, but it would be nice to have something that I could use to scan a machine for vulnerabilities without using the hard drive to boot at all.

      --
      Proud neuron in the Slashdot hivemind since 2002.
    4. Re:ifl by Anonymous Coward · · Score: 3, Informative

      Something like this?

  2. Ah! No need for rootkit detector... by Rosco+P.+Coltrane · · Score: 4, Funny

    ... with the Internet Freedom Disk!

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. Pish Posh by eno2001 · · Score: 5, Funny

    It's GNU/Linux. Any hacker worth his salt doesn't want to bother with archaic OSes based on Unix. He wants the 1337 stylings of Windows Vista. No sense in rootkitting a *nix box. You can't do anything with a *nix box. But an army of zombie Vista PCs, now THAT is ULTIMATE POWER!

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
  4. Re:This is... by Rosco+P.+Coltrane · · Score: 5, Informative

    It's rather difficult to load kernel obfuscation modules (like hiding processes and files) without header files and no compiler.

    I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  5. Re:This is... by psycho8me · · Score: 5, Interesting

    That may have been true 30 years ago when a compiler license cost thousands. If a person has write access to your system, they can just copy a compiler binary over.

  6. Compiler is Irrelevant by brunes69 · · Score: 3, Informative

    It's pretty trivial to just deduce what kernel the machine is running and build working binaries wherever you want. In fact it would be preferred, since a sysadmin is far more likely to notice a rogue gcc process sucking up CPU than a file transfer while the rootkit is being loaded.

    Anyway - if the person has root on the box (which they need to install the rootkit anyway), then they can just ship up THEIR OWN COMPILER if they want to regardless.

    1. Re:Compiler is Irrelevant by profplump · · Score: 4, Insightful

      First, let me introduce you to the file command, which can tell me all about your arch. Or failing that, less, or any other program than can read any binary on your system. Your binary executables necessarily include information about their format, including their architecture.

      spaceheater ~ 0$ file /bin/bash
      /bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), not stripped

      Second, why are you worried about compilers and version numbers if you're so sure people can't load modules anyway? What exactly are you trying to protect? There's something to be said for a minimalistic system, but you've yet to explain how having a compiler installed poses any sort of realistic security threat.

      Finally, what's to keep someone from simply replacing your entire hand-complied, monolithic kernel? Even if you disable all the ways to do this without rebooting -- kexec() and /proc/kcore, probably among others -- they could always reboot the machine. Sure, you'd notice the reboot, but would you be able to detect their change after the reboot?

      I'd also like to mention that OS-enforced append-only files are a poor substitute to logging to a hardware-enforced WORM drive, particularly if we're talking about rootkits. You're still fundamentally relaying on the OS to provide protection, which isn't reasonable when a rootkit has been installed.

  7. Yes, but... by Darlantan · · Score: 5, Funny

    You have your l33t ninja with his army of zombie Windows boxes... ...but how do they stack up to the *nix pirates, and their FTPs on the seven seas of the intarwebs? It's the classic clashes, modernized. Who has the REAL Ultimate Power?

    --
    Fill in your four or five-letter word of wisdom here _ _ _ _ _.
  8. Read Only Drives by DigitalRaptor · · Score: 5, Interesting

    I run Gentoo Linux servers for hosting email and websites, and have wanted a way to really secure the boxes.

    Many hard drives have jumpers that make them read only.

    I thought it would be great to have all of the rarely changed portions of the operating system on a separate drive set to read only.

    The only time you would move the jumper to read-write would be when you were installing updates.

    Things like: /tmp /var/log
    etc

    Would have to always be on a read-write drive.

    But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc.

    What do you think? Feasible or impractical?

    --
    Lose Weight and Feel Great with Isagenix
    1. Re:Read Only Drives by chill · · Score: 4, Informative

      Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.

      If you have more than one machine, get a dedicated syslog server and send the logs from the other machines over to it. This way logs aren't on the main machines and it is much harder to compromise the audit trail.

      For businesses, get something like a Trigeo appliance and keep an eye on the behavior of everything.

      Make sure all your permissions/rules are based off the concept of "default deny, explicit allow".

      You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!

        Charles

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:Read Only Drives by djh101010 · · Score: 4, Interesting

      Right, but now if you want to install a program or security update you have to power off, change jumper, power on, install, power off, reset jumper, power back on. This may or may not be worth it, particularily in the case of a security update.

      Amazingly enough, I can draw on 25 year old experience on this one, sort of. Back in the early 1980s, I ran a BBS on a dialup TRS-80. The floppy drives, I put toggle switches on the front of so the read-only setting could be changed on the fly. So worst case, it'd be something you might be able to put an external switch for that jumper, outside the drive case. Maybe. Might blow up but at the time it worked great.

    3. Re:Read Only Drives by noahm · · Score: 4, Insightful
      Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.

      # mount -o remount,rw /readonly/partition

      So that won't help you...

      You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!

      That won't help either: http://doc.bughunter.net/rootkit-backdoor/kmem-pat ching.html Most modern kernel-level rootkits do not depend on the ability to dynamically load modules.

      noah

  9. I like to leave this up to the FBI by Timesprout · · Score: 4, Funny

    When the dark suits turn up on my doorstep with an arrest warrant on charges of attempting to crack confidential government sites I can be pretty sure my machine has been rooted.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  10. Re:This is... by seifried · · Score: 4, Interesting

    Does root have access to /proc/kcore? If yes then an attacker with root access can modify the kernel in memory as needed. Heck there's even projects to bring this into the mainstream for carrier grade Linux (no need for those pesky reboots after a kernel upgrade): http://pannus.sourceforge.net/

  11. Re:This is... by diegocgteleline.es · · Score: 3, Funny

    Real men and real hackers write their programs in binary code, not in stupid and bloated assembler.

  12. I've always wondered... by sootman · · Score: 3, Interesting

    How hard is it to build a basic but worthwhile rootkit detection tool with common tools? Like run `md5 /bin/*` and then ship the output of that to another machine every day for comparison to yesterday's output of that command? (Looking at other directories as well, of course.) My understanding is that many rootkits come with hacked versions of tools like 'ps' to hide themselves.

    On the one hand, yeah, let's not reinvent the wheel, but on the other hand, there are advantages to building your own tools:
    - you know exactly what they're doing--more complicated pre-existing tools might do more, but if you don't understand their output, they're no good.
    - you don't have to trust*/audit someone else's code
    - they don't do more than you need
    - they don't have features that you don't know about or might misuse
    - at the very least, it's a great way to learn

    * yes, I know about this. but there are reasonable limits--I do trust that my distro came with a clean copy of gcc. OTOH, I'd rather write my own 20-line script that download someone else's that says it does the same thing as what I would write myself but that I'd have to audit for even the smallest things, like sneaking in an
    if ($rooted="no")
    instead of
    if ($rooted=="no")

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  13. Meh, I don't trust those tools by straponego · · Score: 4, Funny

    I just eyeball /proc/kcore for anything suspicious every day or so.

  14. Re:trojan the detector by sfjoe · · Score: 3, Insightful


    They can do that but, if you're like me, chkrootkit runs from a mounted CD-ROM. It's a little harder for them to trojan it that way.

    --
    It's simple: I demand prosecution for torture.