Mailinglist Archive: opensuse (1599 mails)

< Previous Next >
Re: [opensuse] How to look for rootkits, spyware, virus, ....
  • From: Philippe Andersson <pan@xxxxxxxxxxxxx>
  • Date: Tue, 27 Oct 2009 11:29:44 +0100
  • Message-id: <4AE6CB98.3040308@xxxxxxxxxxxxx>
Hello Maura,

Maura Monville wrote:
Recently my desktop internet connection was closed by the department
systems administrator because of suspicious frequent network
accesses. Since I have been running SuSE for many years and never had
virus problems I was quite surprised. Anyway, in addition to the
regular checks and tests they perform in these cases, I was asked
whether there exists a system tool to verify the integrity of the
system configuration. Basically they want to double check that all
what is currently installed on my system, excluding my own
applications, are regular SuSE updated packages rather than some
malicious program, rootkit, and so on ... Thank you in advance for
your help. Maura
To check for rootkits, use "chkrootkit" (part of the official OpenSuSE
repo). For viruses, you can use ClamAV (also in the OpenSuSE repo and on
Packman). I'm not aware of any anti-spyware tool for Linux.

Checking for the presence of "unauthorised" packages on your machine
(outside of rootkits) may be trickier, but you could try this approach:
for all installed RPMs, check with "rpm -q -i" that they have the Vendor
field == "openSUSE". Then, with "rpm -q -l", list all files that they
install and append it to a single text file (make sure to sort it, too).
You now have all "official" files of your distro. Then generate a second
file (with a simple "find /") to list all files and directories on your
machine. Sort it the same way as the first file. Diff both: you should
be able to explain any file listed in the diff (own files, logs files,
temp files, files generated at runtime, etc.). Not trivial, of course.

Another approach: since you're concerned about unusual network traffic,
you can install "wireshark" on your computer and sniff your own
interface. That should give you more information about the traffic in
question. Coupled with "netstat", you should be able to isolate the
application causing it.

HTH

Cheers. Bye.

Ph. A.

--

*Philippe Andersson*
Unix System Administrator
IBA Particle Therapy |
Tel: +32-10-475.983
Fax: +32-10-487.707
eMail: pan@xxxxxxxxxxxxx
<http://www.iba-worldwide.com>


The contents of this e-mail message and any attachments are intended solely for
the recipient (s) named above. This communication is intended to be and to
remain confidential and may be protected by intellectual property rights. Any
use of the information contained herein (including but not limited to, total or
partial reproduction, communication or distribution of any form) by persons
other than the designated recipient(s) is prohibited. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free. Ion Beam Applications does not accept liability for any
such errors. Thank you for your cooperation.
< Previous Next >
References