Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Last month's "Tech Support" showed you how to monitor filesystem changes with Tripwire, a handy system utility that alerts you to all filesystem changes. Like SNORT and others, Tripwire's just one of many practical security measures that minds your system 24/7.
Another sentry tool is chkrootkit, a free utility that can detect rootkits, loadable kernel modules, worms, and other nefarious cracker tools. (A rootkit is a collection of tools used to mask intrusion, obtain administrator-level access and, install a backdoor on a target computer. A loadable kernel module, or LKM, is a piece of code that's loaded directly into the Linux kernel.) chkrootkit uses digital signatures to detect over fifty known rootkits and LKMs. It also uses some simple heuristics -- looking for hidden processes, hidden directories, and a few other simple checks -- to attempt to detect unknown kits.
chkrootkit is maintained by Nelson Murilo and is available from http://www.chkrootkit.org. After downloading the latest version of chkrootkit, verify the MD5 checksum, and unpack the tarball. Then type make sense in the build directory. After the build's complete, run the program by typing ./chkrootkit. You'll have to be root to run the chkrootkit tools.
By default, chkrootkit is quite verbose. You can use the -q flag to only output messages that indicate an "infection." Another useful flag is -p, which allows you to specify a path to the supplemental, external programs that chkrootkit uses. Running the external commands from a read-only media ensures that chkrootkit itself hasn't been tampered with.
Once you have everything working to your liking, run chkrootkit via cron using a command similar to...
Like any security program, the output of chkrootkit needs to be examined and interpreted to be useful. For example, chkrootkit may give output such as INFECTED (PORTS: 1999). While this may be a result of the Transcout backdoor, it may just be that a program that uses random ports greater than port 1023 is using the port.
Always a Good find
A few months back, "Tech Support" presented slocate as a replacement for the brute-force find /
The offer for discussion seams interesting to me, as I support few servers in my town - all of them using debian.
One of those machines is set up with knoppix 3.2 from which I removed a lot of stuff that was not needed, so afterwards few months later I ran chkrootkit on it and it says there is probably LKM attack as 4 Processes are hidden from the ps command.
And really when I ps -A I don't see process numbers
1 ? 00:00:10 init
2 ? 00:00:00 keventd
0 ? 00:00:00 ksoftirqd_CPU0
0 ? 00:00:00 kswapd
0 ? 00:00:00 bdflush
0 ? 00:00:01 kupdated
I read about this, that it should be a problem with multithereading on debian in some cases, but honestly I haven't had this problem on other debian system.
I suppose it has to do something with knoppix but I don't have a machine like this.
After I spent hours of checking logs and so, I concluded that there isn't anything wrong
That's a bug in chkrootkit. With the latest glibc and 2.6 kernel, the
threading model has changed. Threads no longer show up as individual
processes. Chkrootkit should be updated to work with the latest glibc
and 2.6 kernel (i.e. it should check /proc/<pid>/task too)
I don't see a fix posted there though. What version of chkrootkit are you running?
--jeremy
by deloptes on Mon, 2004-07-05 01:35
thanks jeremy
I see, but I am using the 2.4.22-xfs kernel on this machine that comes with knoppix
by unSpawn on Mon, 2004-07-05 19:00
Even tho I think this is somewhat OT, 0.44-beta is just around the corner.
If all is well it will feature an improved threading aware chkproc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
One of those machines is set up with knoppix 3.2 from which I removed a lot of stuff that was not needed, so afterwards few months later I ran chkrootkit on it and it says there is probably LKM attack as 4 Processes are hidden from the ps command.
And really when I ps -A I don't see process numbers
1 ? 00:00:10 init
2 ? 00:00:00 keventd
0 ? 00:00:00 ksoftirqd_CPU0
0 ? 00:00:00 kswapd
0 ? 00:00:00 bdflush
0 ? 00:00:01 kupdated
I read about this, that it should be a problem with multithereading on debian in some cases, but honestly I haven't had this problem on other debian system.
I suppose it has to do something with knoppix but I don't have a machine like this.
After I spent hours of checking logs and so, I concluded that there isn't anything wrong
What is your oppinion?
Are you aware of security issues with knoppix
Thanks
threading model has changed. Threads no longer show up as individual
processes. Chkrootkit should be updated to work with the latest glibc
and 2.6 kernel (i.e. it should check /proc/<pid>/task too)
--jeremy
I see, but I am using the 2.4.22-xfs kernel on this machine that comes with knoppix
If all is well it will feature an improved threading aware chkproc.