Find the answer to your Linux question:
Results 1 to 6 of 6
I have reason to suspect my box has been compromised by a rootkit. I recently cleaned my drive and installed Ubuntu Studio. In the process I pulled some packages from ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! questio verum's Avatar
    Join Date
    Jun 2007
    Location
    Adrift in an ever-expanding universe, quietly contemplating the wondrous and the inevitable.
    Posts
    82

    Rootkit questions - suspect compromised box


    I have reason to suspect my box has been compromised by a rootkit. I recently cleaned my drive and installed Ubuntu Studio. In the process I pulled some packages from restricted repos. Today, when I started this session, Ubuntu flashed a message saying Firestarter was being turned off. After GNOME loaded, I tried to load Firestarter from the menu and was prompted for my password. Firestarter never asks me for my password unless I'm making changes. There were other signs too, but I've been focused on a hardware problem since install, and errantly assumed the other smptoms were being triggered by that (or by a poorly QA'ed update). I started getting that sinking feeling as I did a mental calculation of every password, online transaction, email, etc. that's been executed from my rig in the last week.

    I've done a preliminary search for info on rootkit detection, removal, and prophylaxis. It's not encouraging. Much of the information I've googled is dated and contradictory. So I ask:

    - Is writing zeroes to the drive the only foolproof way to clean it? If not, what is the best option short of this?

    - What is the best way to protect my rig from a rootkit in the future?

    - Is there a detection package or method that will reliably detect a rootkit?

    - Is there a reliable package or method to detect a rootkit before it's installed and active? Like if it were embedded in a package from a non-supported repo, or from any downloadable or tranferable source?


    I re-read Fingal's sticky on security and am reviewing my entire approach to securing my system. Any accurate information, as pertains to rootkits, would be welcomed. In the meantime I'll be contacting my bank and changing passwords from a (hopefully) secure rig. Thanks.

    qv

  2. #2
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630
    Do:
    Code:
    sudo apt-get install rkhunter
    After it is installed, do:
    Code:
    sudo rkhunter --update
    When it is up to date, run:
    Code:
    sudo rkhunter -c --sk -r /
    Linux Mint + IceWM Registered: #371367 New Members: click here

  3. #3
    Linux Guru
    Join Date
    Nov 2007
    Location
    Córdoba (Spain)
    Posts
    1,513
    To inject a rootkit on your system, the user who's doing it needs to become root. So, the key points here are these:

    1. Avoid other users becoming root.
    2. Be very careful with what you install when YOU are root.


    To achieve 1 to a 100% is very difficult, there are some things that help, though:
    • It is very important to be up to date in which regard security updates, that's the best way to keep critical vulnerabilities out of your system.
    • Do not run services you are not going to use, those are open doors that can pose a security risk if a vulnerability is discovered that can be used to scale privileges.
    • Do not allow remote root logins via ssh if you run ssh.
    • Use secure alternatives for everything, with encryption. For example, ssh instead of telnet.
    • Don't use dangerous programs as root (internet browsers, wine, etc. etc.).


    About 2, most distros do security checks, checksums and things like that when downloading packages, to make sure that nothing has been injected in the packages. None is invulnerable though. The main thing you should be careful is when using community repositories, overlays or whatever they are called in your distro. The core packages or the distros usually are stable enough, but community driven repositories can be problematic sometimes.

    Quote Originally Posted by questio verum View Post
    - Is writing zeroes to the drive the only foolproof way to clean it? If not, what is the best option short of this?
    Strictly speaking, that's true. However, I don't see much sense on that. If you reformat your drive the rootkit might be there, but it's not accesible via a filesystem, and it's not going to awake like a zombie by itself. Just reformating and reinstalling the bootloader should do. You could clean it manually, but depending on the attacker and the rootkit, that might not be an option, since you can't be 100% sure that there's no malicious code left in your system that will awake at a given time.

    - What is the best way to protect my rig from a rootkit in the future?
    There's no best way. I explained above some general policies to observe. The best way is not to let it in.

    - Is there a detection package or method that will reliably detect a rootkit?
    There's rkhunter, as Dapper Dan said, however, the usefulness of rootkit hunters is really limited. They can only be used to detect kootkits that are already installed in your system. As I said above, to install a rootkit you first need to be root, and if someone became root and installed a rootkit, you have absolutely no guarantee that rkhunter has not been rootkited as well (so, it's almost useless really). Most of us run it just because it's output is so nice But it's not really a reliable diagnosis tool.

    - Is there a reliable package or method to detect a rootkit before it's installed and active? Like if it were embedded in a package from a non-supported repo, or from any downloadable or tranferable source?
    Not that I know of. But it might be easily to patch rkhunter or chkrootkit to do so. Or wrap them into a bash script or something. Note that, as far as you only use stable and certified software as root, you are fairly safe. If you use a community repository for a game or a multimedia program that you are only using as regular user, then whatever is injected in that program will only have the same right that your regular user do. Not that it's a good thing though... there are a thousand millions ways to scale privileges once you have an unprivileged account.

  4. #4
    Trusted Penguin Dapper Dan's Avatar
    Join Date
    Oct 2004
    Location
    The Sovereign State of South Carolina
    Posts
    4,630
    i92guboj, perhaps you could write questio verum (and the rest of us for that matter) a patch for rkhunter that will do what you are talking about. I'd love to have that patch!
    Linux Mint + IceWM Registered: #371367 New Members: click here

  5. #5
    Linux Guru
    Join Date
    Nov 2007
    Location
    Córdoba (Spain)
    Posts
    1,513
    Quote Originally Posted by Dapper Dan View Post
    i92guboj, perhaps you could write questio verum (and the rest of us for that matter) a patch for rkhunter that will do what you are talking about. I'd love to have that patch!
    A simple bash wrapper should do. Root kit hunters look for concrete rootkits on concrete system files, however, they only make sense for some concrete packages. rkhunter is not going to look for anything into a package for kaffeine, it might be useful to look into coreutils, binutils or similar packages, though.

    Something like this, maybe:

    Code:
    #!/bin/bash
    
    tar -xvjpf "$1"
    path=$(basename $1)
    cd "${path/.tar.bz2/}"
    rkhunter --rootdir . --checkall
    This is a very simple example, which make quite a lot of assumptions and is not ready for the final user, it's only meant as a very basic example.

    The basic idea is to uncompress the package into a temporal directory, and them set that directory as the root directory for rkhunter, that's all you should need.

    The procedure to uncompress and the concrete directory will be different depending on the package format and the distribution of choice, of course. Here, a full load of tools like rpm2tgz or alien will be useful for those using distros with specific package formats.

  6. #6
    Just Joined! questio verum's Avatar
    Join Date
    Jun 2007
    Location
    Adrift in an ever-expanding universe, quietly contemplating the wondrous and the inevitable.
    Posts
    82
    Thanks guys. I ran rootkit hunter out of curiousity, and it returned no finds.
    I've since wiped the drive using dban, and put on a fresh install. I'm going to go outside of the supported repos so I can get firestarter and the proprietary nvidia driver, but I think that'll be it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •