Rootkit questions - suspect compromised box

I have reason to suspect my box has been compromised by a rootkit. I recently cleaned my drive and installed Ubuntu Studio. In the process I pulled some packages from restricted repos. Today, when I started this session, Ubuntu flashed a message saying Firestarter was being turned off. After GNOME loaded, I tried to load Firestarter from the menu and was prompted for my password. Firestarter never asks me for my password unless I'm making changes. There were other signs too, but I've been focused on a hardware problem since install, and errantly assumed the other smptoms were being triggered by that (or by a poorly QA'ed update). I started getting that sinking feeling as I did a mental calculation of every password, online transaction, email, etc. that's been executed from my rig in the last week.

I've done a preliminary search for info on rootkit detection, removal, and prophylaxis. It's not encouraging. Much of the information I've googled is dated and contradictory. So I ask:

- Is writing zeroes to the drive the only foolproof way to clean it? If not, what is the best option short of this?

- What is the best way to protect my rig from a rootkit in the future?

- Is there a detection package or method that will reliably detect a rootkit?

- Is there a reliable package or method to detect a rootkit before it's installed and active? Like if it were embedded in a package from a non-supported repo, or from any downloadable or tranferable source?

I re-read Fingal's sticky on security and am reviewing my entire approach to securing my system. Any accurate information, as pertains to rootkits, would be welcomed. In the meantime I'll be contacting my bank and changing passwords from a (hopefully) secure rig. Thanks.

qv

Do:

Code:

---

sudo apt-get install rkhunter

---

After it is installed, do:

Code:

---

sudo rkhunter --update

---

When it is up to date, run:

Code:

---

sudo rkhunter -c --sk -r /

---

:)

To inject a rootkit on your system, the user who's doing it needs to become root. So, the key points here are these:

1. Avoid other users becoming root.
2. Be very careful with what you install when YOU are root.

To achieve 1 to a 100% is very difficult, there are some things that help, though:

• It is very important to be up to date in which regard security updates, that's the best way to keep critical vulnerabilities out of your system.
• Do not run services you are not going to use, those are open doors that can pose a security risk if a vulnerability is discovered that can be used to scale privileges.
• Do not allow remote root logins via ssh if you run ssh.
• Use secure alternatives for everything, with encryption. For example, ssh instead of telnet.
• Don't use dangerous programs as root (internet browsers, wine, etc. etc.).

About 2, most distros do security checks, checksums and things like that when downloading packages, to make sure that nothing has been injected in the packages. None is invulnerable though. The main thing you should be careful is when using community repositories, overlays or whatever they are called in your distro. The core packages or the distros usually are stable enough, but community driven repositories can be problematic sometimes.

Quote:

---

Originally Posted by questio verum

- Is writing zeroes to the drive the only foolproof way to clean it? If not, what is the best option short of this?

---

Strictly speaking, that's true. However, I don't see much sense on that. If you reformat your drive the rootkit might be there, but it's not accesible via a filesystem, and it's not going to awake like a zombie by itself. Just reformating and reinstalling the bootloader should do. You could clean it manually, but depending on the attacker and the rootkit, that might not be an option, since you can't be 100% sure that there's no malicious code left in your system that will awake at a given time.

Quote:

---

- What is the best way to protect my rig from a rootkit in the future?

---

There's no best way. I explained above some general policies to observe. The best way is not to let it in.

Quote:

---

- Is there a detection package or method that will reliably detect a rootkit?

---

There's rkhunter, as Dapper Dan said, however, the usefulness of rootkit hunters is really limited. They can only be used to detect kootkits that are already installed in your system. As I said above, to install a rootkit you first need to be root, and if someone became root and installed a rootkit, you have absolutely no guarantee that rkhunter has not been rootkited as well (so, it's almost useless really). Most of us run it just because it's output is so nice :p But it's not really a reliable diagnosis tool.

Quote:

---

- Is there a reliable package or method to detect a rootkit before it's installed and active? Like if it were embedded in a package from a non-supported repo, or from any downloadable or tranferable source?

---

Not that I know of. But it might be easily to patch rkhunter or chkrootkit to do so. Or wrap them into a bash script or something. Note that, as far as you only use stable and certified software as root, you are fairly safe. If you use a community repository for a game or a multimedia program that you are only using as regular user, then whatever is injected in that program will only have the same right that your regular user do. Not that it's a good thing though... there are a thousand millions ways to scale privileges once you have an unprivileged account.

i92guboj, perhaps you could write questio verum (and the rest of us for that matter) a patch for rkhunter that will do what you are talking about. I'd love to have that patch! :)

Quote:

---

Originally Posted by Dapper Dan

i92guboj, perhaps you could write questio verum (and the rest of us for that matter) a patch for rkhunter that will do what you are talking about. I'd love to have that patch! :)

---

A simple bash wrapper should do. Root kit hunters look for concrete rootkits on concrete system files, however, they only make sense for some concrete packages. rkhunter is not going to look for anything into a package for kaffeine, it might be useful to look into coreutils, binutils or similar packages, though.

Something like this, maybe:

Code:

---

#!/bin/bash

tar -xvjpf "$1"
path=$(basename $1)
cd "${path/.tar.bz2/}"
rkhunter --rootdir . --checkall

---

This is a very simple example, which make quite a lot of assumptions and is not ready for the final user, it's only meant as a very basic example.

The basic idea is to uncompress the package into a temporal directory, and them set that directory as the root directory for rkhunter, that's all you should need.

The procedure to uncompress and the concrete directory will be different depending on the package format and the distribution of choice, of course. Here, a full load of tools like rpm2tgz or alien will be useful for those using distros with specific package formats.

Thanks guys. I ran rootkit hunter out of curiousity, and it returned no finds.
I've since wiped the drive using dban, and put on a fresh install. I'm going to go outside of the supported repos so I can get firestarter and the proprietary nvidia driver, but I think that'll be it.