[opensuse] How to look for rootkits, spyware, virus, ....
Recently my desktop internet connection was closed by the department systems administrator because of suspicious frequent network accesses. Since I have been running SuSE for many years and never had virus problems I was quite surprised. Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration. Basically they want to double check that all what is currently installed on my system, excluding my own applications, are regular SuSE updated packages rather than some malicious program, rootkit, and so on ... Thank you in advance for your help. Maura -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello Maura, Maura Monville wrote:
Recently my desktop internet connection was closed by the department systems administrator because of suspicious frequent network accesses. Since I have been running SuSE for many years and never had virus problems I was quite surprised. Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration. Basically they want to double check that all what is currently installed on my system, excluding my own applications, are regular SuSE updated packages rather than some malicious program, rootkit, and so on ... Thank you in advance for your help. Maura To check for rootkits, use "chkrootkit" (part of the official OpenSuSE repo). For viruses, you can use ClamAV (also in the OpenSuSE repo and on Packman). I'm not aware of any anti-spyware tool for Linux.
Checking for the presence of "unauthorised" packages on your machine (outside of rootkits) may be trickier, but you could try this approach: for all installed RPMs, check with "rpm -q -i" that they have the Vendor field == "openSUSE". Then, with "rpm -q -l", list all files that they install and append it to a single text file (make sure to sort it, too). You now have all "official" files of your distro. Then generate a second file (with a simple "find /") to list all files and directories on your machine. Sort it the same way as the first file. Diff both: you should be able to explain any file listed in the diff (own files, logs files, temp files, files generated at runtime, etc.). Not trivial, of course. Another approach: since you're concerned about unusual network traffic, you can install "wireshark" on your computer and sniff your own interface. That should give you more information about the traffic in question. Coupled with "netstat", you should be able to isolate the application causing it. HTH Cheers. Bye. Ph. A. -- *Philippe Andersson* Unix System Administrator IBA Particle Therapy | Tel: +32-10-475.983 Fax: +32-10-487.707 eMail: pan@iba-group.com http://www.iba-worldwide.com The contents of this e-mail message and any attachments are intended solely for the recipient (s) named above. This communication is intended to be and to remain confidential and may be protected by intellectual property rights. Any use of the information contained herein (including but not limited to, total or partial reproduction, communication or distribution of any form) by persons other than the designated recipient(s) is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free. Ion Beam Applications does not accept liability for any such errors. Thank you for your cooperation.
On 27.10.2009, Maura Monville wrote:
...I was asked whether there exists a system tool to verify the integrity of the system configuration.
http://sourceforge.net/projects/aide/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On October 27, 2009, Maura Monville wrote:
Recently my desktop internet connection was closed by the department systems administrator because of suspicious frequent network accesses. Since I have been running SuSE for many years and never had virus problems I was quite surprised. Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration. Basically they want to double check that all what is currently installed on my system, excluding my own applications, are regular SuSE updated packages rather than some malicious program, rootkit, and so on ... Thank you in advance for your help. Maura
I've used Chkrootkit and rkhunter. I have had trouble in the past with rkhunter not recognizing the SuSE install but there is now a release for 11.1. Double checking the false positives is not a bad thing when there are only a few. What do you have running, automatic updates, ntp, RSS, mail can all access the network automatically have you changed any configurations there? Have they changed their tests? -- Collector of vintage computers http://www.ncf.ca/~ba600 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-10-27 at 05:00 -0000, Maura Monville wrote:
Recently my desktop internet connection was closed by the department systems administrator because of suspicious frequent network accesses.
Ask them to expand on that, to specify what are those accesses they see, to provide logs or captures. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkroqB8ACgkQtTMYHG2NR9WWFACeK5YZR6LFxtmrdknBecEMo2aH iRUAoId3hz+DLEP2Z9UWnNnCWPVuQPRq =rOpQ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 27 Oct, 2009 at 05:00:19 +0000, Maura Monville wrote:
Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration.
Well: rpm --verify --all sort of does that. Problem would be that you really can't trust rpm of the running system, since you can't know if rpm, the database or any of the stuff rpm uses are compromised. But that pretty much goes for any/all systems; windows, *nix, whathavewe...
Basically they want to double check that all what is currently installed on my system, excluding my own applications, are regular SuSE updated packages rather than some malicious program, rootkit, and so on ...
The only way to be 'sure' would be to boot the system from some 'pristine' media (cd, dvd downloaded and burnt by a different system) and do the checks from there. hth /jon -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-10-28 at 21:39 +0100, Jon Clausen wrote:
On Tue, 27 Oct, 2009 at 05:00:19 +0000, Maura Monville wrote:
Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration.
Well:
rpm --verify --all
sort of does that. Problem would be that you really can't trust rpm of the running system, since you can't know if rpm, the database or any of the stuff rpm uses are compromised.
I /think/ you can do that from the rescue system. I saw something of the sort in yast (rescue from dvd). I suppose it would use the rpm command in the live, but the rpm database in the hd... :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkrotBkACgkQtTMYHG2NR9XxGQCeNAgi/Axh1xD0cm1qx2mDFj01 64sAn3YBzcNLYBBFXM8IZOQsL5bgwPRf =gXtQ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 28 Oct, 2009 at 22:13:54 +0100, Carlos E. R. wrote:
On Wednesday, 2009-10-28 at 21:39 +0100, Jon Clausen wrote:
On Tue, 27 Oct, 2009 at 05:00:19 +0000, Maura Monville wrote:
Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration.
Well:
rpm --verify --all
sort of does that. Problem would be that you really can't trust rpm of the running system, since you can't know if rpm, the database or any of the stuff rpm uses are compromised.
I /think/ you can do that from the rescue system. I saw something of the sort in yast (rescue from dvd). I suppose it would use the rpm command in the live, but the rpm database in the hd... :-?
Something like that. I never noticed that option in YaST, but I guess one should be careful not to actually apply anything ;) Basically what I was thinking was something to the effect of; * boot from cd/dvd to 'rescue' * mount filesystems (say, '/' mounted on '/mnt/') * rpm --verify --all --root /mnt/ But I've never actually done it, so this is just 'thinking loud'... Of course this only takes care of stuff that rpm knows about. And you'd still need to manually verify the config files etc that *have* been changed from the defaults. /jon -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Carlos E. R.
-
Heinz Diehl
-
Jon Clausen
-
Maura Monville
-
Mike
-
Philippe Andersson