(Ted Harding) wrote:
On 03-Oct-04 Maura Edelweiss Monville wrote:
[...] Sorry for my ignorance ... what is a "a rootkit hunter" ?????
Regards, Maura
Myself I hadn't even heard of "rootkit" until very recently when someone posted to linux-users@lists.man.ac.uk that he had been infected twice over. In his explanation to me he wrote:
"An apache vulnerability is where carefully crafted information is sent to such a web server, thus overrunning a buffer or such-like, and being able to install and execute arbitrary code.
A rootkit is the stuff script-kiddies (people who use software provided from elsewhere) install on your machine, in an attempt to replace core utilities (ls, find, ps, top, ....) by ones that don't show illicit activity, even when it is taking place. In my case they don't seem to have gained root access, so have been unable to totally screw my machine, but they installed their own telnetd, nmap, stealth scanners and other software.
The main problem is that chkrootkit (www.chkrootkit.org) doesn't scan for these rootkits, since they are not included. It is still worth your while to use chkrootkit!"
So I went to
and installed chkrootkit anyway! There may be other rootkit-checkers out there which may be preferable. There is a lot of info on this site about how rootkits work.
Some of chkrootkit's tests are a bit dumb, and likely to throw up false positives (which is way better than false negatives!). In particular, any file under /usr/lib/ whose filename begins with a "." will be flagged up. Since these can be created by standard software (e.g. perl, java) they need not be, and probably are not, sinister. But don't take this for granted either!
I hope this helps! Ted.
I've used chkrootkit in the past, a long time since I've seen it, now I use rkhunter-1.1.8-1.noarch.rpm (latest). One thing I have always installed promptly on all distros going back quite a few years right up to (SuSE9.1 x86 and x86_64, Mandrake 10.0 and gentoo-2004-2) is libsafe, http://www.research.avayalabs.com/project/libsafe/, it stops buffer overflows doing nasties, format strings and other attacks. I think only the Brazilian distro (Connectiva) includes it as standard. SuSE was very anti libsafe when it first came out, possibly because at that time it stopped the binary working and resultant complaints may have scared them off, now it is able to let the binary run, but makes sure it doesn't overwrite, negligible performance hit also. From the blurb:- Projects: Libsafe The exploitation of buffer overflow and format string vulnerabilities in process stacks constitutes a significant portion of security attacks in recent years. We present a new method to detect and handle such attacks. In contrast to previous work, our method does not require any modification to the operating system and works with existing binary programs. Our method does not require access to the source code of defective programs, nor does it require recompilation or off-line processing of binaries. Furthermore, it can be implemented on a system-wide basis transparently. Our solution is based on a middleware software layer that intercepts all function calls made to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame, thus, preventing attackers from 'smashing' (overwriting) the return address and hijacking the control flow of a running program. barrabas:/ftp/oct04 # ldd /usr/bin/grep /lib/libsafe.so.2 => /lib/libsafe.so.2 (0x40019000) linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/tls/libc.so.6 (0x40059000) libdl.so.2 => /lib/libdl.so.2 (0x4016e000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Most of the updates to all distros are to do with buffer overflows, so I preempt them with libsafe. Regards Sid. -- Sid Boyce .... Hamradio G3VBV and keen Flyer =====LINUX ONLY USED HERE=====