[Tfug] Root Hits

Quag7 deepspace at dataswamp.net
Fri Oct 5 02:13:56 MST 2007 

On Friday 05 October 2007 12:53:51 am Felix Tilley wrote:
> At last night's happy hour, the subject of root kits came up.  Try
>
> www.chkrootkit.org.
>
> This site is in Brazil, and may be blocked by your firewall.  This site
> has not been updated since 2006.  So it may not be up to date.
>
> Bug:  It looks for lastlog in /var/adm.  You may need to make a soft
> link to /var/log/lastlog.

Good recommendation, if no one else is aware of it. 

Definitely a brick in the security wall.  People like to scoff at tools like 
this but I'd feel silly not using it as one of the several steps I take to 
secure and scan a server.  

Some people like to point out that the tool itself can be patched to give 
false output if the root account is compromised, or that new rootkits are 
coming out all the time, and as such it can give a sense of false security, 
as if these things are somehow not obvious.  The two security breaches on 
systems I've had to deal with have been by script kiddies who used 
off-the-shelf rootkits such as the ones tools like chkrootkit detects.

(In one case, Interland provisioned us a Cobalt RAQ with the admin password 
set to blank and fully exposed to the internet, the web admin interface 
flapping in the proverbial breeze.  I'm hardly a security guru by any 
standard, but sheesh.)

You might be interested in its cousin:

http://rkhunter.sf.net/

I run both, plus AIDE, which I hate, because I update my system so often, the 
DB is always out of date, but what can you do.

rkhunter gives some false positives on Debian (some patched files, or 
indeterminate versions), and for some reason reports 0 byte lock files 
(certain ones) as suspicious, but these are easily ignored and fairly obvious 
and consistent.

There's also a program called vnstat which consistently reports on bandwidth 
usage, in a nice, easy-to-read format.  Linux servers are often used to serve 
warez (the term "warez" has become a legitimate term, at least in my company.  
I've seen it used in stuffy formal memos from our legal department.  Do you 
know how utterly stupid I feel even typing it, now, at 35 years old?).  As a 
result, one way of detecting that there's a problem is a sudden spike in 
bandwidth usage, which, if they're serving warez (cringe), there will be.

http://humdi.net/vnstat/

I run several of the vnstat reports and send myself an e-mail daily to have a 
look.

k-r4D d00d!  0-3 d4ys 0nly!  n0 l4M3RZ!  H/P/A/V, EMPIRE 3.0!!!!!

 -Quag7

More information about the tfug mailing list