D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Rootkit Query


Hash: SHA1

David Bell wrote:
On Thursday 19 May 2005 11:48, Grant Sewell wrote:

One thing that strikes me with this comment should be fairly obvious.  If
you run chrootkit for the first-time on an already cracked system, then it
will consider the cracked files to be "normal".

This comment is made in the package blurb, prior to installation and therefore 
infers to me that one shouldn't rely on chrootkit to find everything - even 
after a squeeky clean install.

The only rootkit I saw in the wild (Eek - not a lot of sleep for a few
days) was spotted easily by chrootkit, even after just bunging it in
/root after infection (we just needed to know what was wrong).

In this case I think it spotted differences between /proc and the list
of running processes returned by the modified "ps" executable or library.

Although some difference between "ps" and /proc can occur on correctly
configured systems the nature and number of differences gave the
blighter away.

Generally when a rootkit is in place it is there for a purpose, so you
can snaffle the traffic on the wire (from a different box), and see
there is rogue traffic (might be hard if the box is busy or the traffic
is https, or tunnels over DNS or some such.

It is impossible to be 100% confident a system hasn't been compromised.

What makes you think it has? As the rootkit we had made the system
unstable, which is very unusual for Linux boxes, but also there were
other bad signs.

We use fingerprinting tools (tripwire) at work to help look for rogue
file changes (also handy if your fellow admin forgets to mention
something they changed). If you haven't fingerprinted a clean system,
you can still use the packaging tool to test for file consistency.
Debian dpkg for example stores checksums for every file installed that
way. Not perfect as a sufficiently able rootkit could hide itself
(unless you boot from clean media), but is most cases rootkits are only
trying to evade accidental discovery not prolonged and detailed
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html