Hello Maura, Maura Monville wrote:

Recently my desktop internet connection was closed by the department systems administrator because of suspicious frequent network accesses. Since I have been running SuSE for many years and never had virus problems I was quite surprised. Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration. Basically they want to double check that all what is currently installed on my system, excluding my own applications, are regular SuSE updated packages rather than some malicious program, rootkit, and so on ... Thank you in advance for your help. Maura To check for rootkits, use "chkrootkit" (part of the official OpenSuSE repo). For viruses, you can use ClamAV (also in the OpenSuSE repo and on Packman). I'm not aware of any anti-spyware tool for Linux.

Checking for the presence of "unauthorised" packages on your machine (outside of rootkits) may be trickier, but you could try this approach: for all installed RPMs, check with "rpm -q -i" that they have the Vendor field == "openSUSE". Then, with "rpm -q -l", list all files that they install and append it to a single text file (make sure to sort it, too). You now have all "official" files of your distro. Then generate a second file (with a simple "find /") to list all files and directories on your machine. Sort it the same way as the first file. Diff both: you should be able to explain any file listed in the diff (own files, logs files, temp files, files generated at runtime, etc.). Not trivial, of course. Another approach: since you're concerned about unusual network traffic, you can install "wireshark" on your computer and sniff your own interface. That should give you more information about the traffic in question. Coupled with "netstat", you should be able to isolate the application causing it. HTH Cheers. Bye. Ph. A. -- *Philippe Andersson* Unix System Administrator IBA Particle Therapy | Tel: +32-10-475.983 Fax: +32-10-487.707 eMail: pan@iba-group.com http://www.iba-worldwide.com The contents of this e-mail message and any attachments are intended solely for the recipient (s) named above. This communication is intended to be and to remain confidential and may be protected by intellectual property rights. Any use of the information contained herein (including but not limited to, total or partial reproduction, communication or distribution of any form) by persons other than the designated recipient(s) is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free. Ion Beam Applications does not accept liability for any such errors. Thank you for your cooperation.

On October 27, 2009, Maura Monville wrote:

Recently my desktop internet connection was closed by the department systems administrator because of suspicious frequent network accesses. Since I have been running SuSE for many years and never had virus problems I was quite surprised. Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration. Basically they want to double check that all what is currently installed on my system, excluding my own applications, are regular SuSE updated packages rather than some malicious program, rootkit, and so on ... Thank you in advance for your help. Maura

I've used Chkrootkit and rkhunter. I have had trouble in the past with rkhunter not recognizing the SuSE install but there is now a release for 11.1. Double checking the false positives is not a bad thing when there are only a few. What do you have running, automatic updates, ntp, RSS, mail can all access the network automatically have you changed any configurations there? Have they changed their tests? -- Collector of vintage computers http://www.ncf.ca/~ba600 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 27 Oct, 2009 at 05:00:19 +0000, Maura Monville wrote:

Anyway, in addition to the regular checks and tests they perform in these cases, I was asked whether there exists a system tool to verify the integrity of the system configuration.

Well: rpm --verify --all sort of does that. Problem would be that you really can't trust rpm of the running system, since you can't know if rpm, the database or any of the stuff rpm uses are compromised. But that pretty much goes for any/all systems; windows, *nix, whathavewe...

Basically they want to double check that all what is currently installed on my system, excluding my own applications, are regular SuSE updated packages rather than some malicious program, rootkit, and so on ...

The only way to be 'sure' would be to boot the system from some 'pristine' media (cd, dvd downloaded and burnt by a different system) and do the checks from there. hth /jon -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org