• Share
  • ?
  • Profiles ▼
  • Communities ▼
  • Apps ▼

Blogs

  • My Blogs
  • Public Blogs
  • My Updates
  • Administration
  • Log in to participate

▼ Tags

 

▼ Similar Entries

Next Linux webcast: ...

Blog: Ingolf's z/VS...
Ingolf24 120000DRN3
Updated
0 people like thisLikes 0
No CommentsComments 0

Announcing IBM High-...

Blog: Dino Quintero...
DinoQuintero 2700050KT5
Updated
0 people like thisLikes 0
No CommentsComments 0

International Linux ...

Blog: Ingolf's z/VS...
Ingolf24 120000DRN3
Updated
0 people like thisLikes 0
No CommentsComments 0

New webcast tomorrow...

Blog: Ingolf's z/VS...
Ingolf24 120000DRN3
Updated
0 people like thisLikes 0
No CommentsComments 0

New webcast: Pervasi...

Blog: Ingolf's z/VS...
Ingolf24 120000DRN3
Updated
0 people like thisLikes 0
No CommentsComments 0

▼ Archive

  • February 2014
  • January 2014
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • November 2011
  • October 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • November 2010
  • October 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • September 2009
  • August 2009
  • July 2009
  • May 2009

▼ Links

  • Clonezilla
  • Pidgin

▼ Blog Authors

Walden's Ponderings

View All Entries
Clicking the button causes a full page refresh. The user could go to the "Entry list" region to view the new content.) Entry list

Rootkits happen. Are you paying attention?

cmw.osdude 120000QT77 | | Tags:  rkhunter chkrootkit security clamav linux rootkit ‎ | 7,419 Views

I caught an article today: "Linux users targeted by mystery drive-by rootkit".  I stand by my believe that Linux is the most secure environment that I have used and I enjoy the freedom from many of the security issues that friends experience.  However, it would be ridiculous to imagine that Linux–or any environment–is immune from attack.

You probably already know the security basics.  Don't hang out at weird websites and let anything and everything run.  Use things like Adblocker in Firefox to help cut out little scripts and things that you don't want to run.  When things pop up saying would you like to install or run something that you don't understand, don't click "Yes".  How do you know you're OK, though?

First, pay attention!  You can tell when your system is not behaving normally.  When the network seems clogged or processes start getting chunky that could be a sign that things are running on your system that you don't know about.  Don't ignore that.  Do something about it.

The first step is to look at the processes that are running.  In Linux a basic ps -aux will give you information about what is running.  If you tinker a lot, like I do, you may bet all kinds of things turned on when you installed them to play with them.  The other day I noticed that I had a web server and two database servers that had been left active after playing around with them.  Often when you install that kind of software it will set itself to automatically start.  These are the kinds of things that can create danger for you if you don't realize they are running.

For seeing how the system resources are running, top is a good quick check.  It is a console-based system monitor that will show you what is using resources on your machine.  Here's a sample: 

top - 13:01:12 up 1 day,  4:05,  2 users,  load average: 0.99, 1.15, 1.21
Tasks: 252 total,   2 running, 250 sleeping,   0 stopped,   0 zombie
%Cpu(s): 16.0 us,  5.1 sy,  0.0 ni, 78.3 id,  0.6 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   8153336 total,  5683844 used,  2469492 free,   451072 buffers
KiB Swap:  6377468 total,        0 used,  6377468 free,  2863488 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND           
 3571 cmwalden   9 -11  107m 9296 7248 S   9.2  0.1  32:13.00 pulseaudio        
29874 cmwalden  20   0  797m 203m  45m R   7.9  2.6   3:03.74 firefox           
 1532 root      20   0  112m  35m 9.8m S   7.8  0.5  23:30.32 Xorg              
 3525 cmwalden  20   0 56332  18m  10m S   2.9  0.2   8:26.86 python            
 3366 cmwalden  20   0  333m  85m  30m S   2.2  1.1   9:25.78 compiz            
 3515 cmwalden  20   0  642m 169m  69m S   1.9  2.1   3:29.92 sametime          
10621 cmwalden  20   0  869m 265m  41m S   1.5  3.3  11:18.62 firefox           
12338 cmwalden  20   0  228m  51m  20m S   1.4  0.6   3:12.04 plugin-containe   
18109 cmwalden  20   0  171m  16m  11m S   0.8  0.2   0:01.28 gnome-terminal    
10588 cmwalden  20   0  852m 348m  40m S   0.8  4.4   7:38.09 thunderbird       
12488 cmwalden  20   0  568m 151m  79m S   0.8  1.9   2:17.30 lnotes            
12547 cmwalden  20   0  180m  23m  14m S   0.8  0.3   1:42.51 vpnui             
12510 cmwalden  20   0  745m 186m  72m S   0.6  2.3   2:21.86 notes2            
 1388 mongodb   20   0 92660  13m 5116 S   0.6  0.2   1:46.26 mongod            
 3918 cmwalden  20   0  223m  53m  11m S   0.5  0.7   0:32.94 unity-panel-ser   
14292 cmwalden  20   0  120m  48m  27m S   0.2  0.6   2:21.84 taskldr           
17690 root      20   0     0    0    0 S   0.2  0.0   0:01.02 kworker/0:1       

Based on my snapshot my audio and firefox are the biggest pgs.  I also note that I have mongod running, which is a database enging that I thought I had disabled.  It may be that something is using it, or I may not have shut it off correctly.  I need to look into that.  As a "basic user" I probably don't need to know about all of these processes... but as a "technical user" I really should understand them, at least well enough to know that they are normal.

Dealing with root kits and other nasties

Keeping an eye on all of your running processes is probably not what you want to do.  It's good to know that you can spot check with things are misbehaving, but you want to  be proactive and stop things before they start.  Here are a few things that might help.

Clam Antivirus — Clam was the first anti-virus software that I discovered for Linux.  It runs on othe rplatforms as well and seems to be pretty good stuff.  Clam does what any intivirus system does.  It scans files and compares them with signatures of known viruses.  Of course, the value is only as good as the definitions.  Clam definitions seem to be updated pretty regularly and it's easy to automate the process.  At the very least you should have something like this available.  Admitedly, the only virus files that I've ever found with this have been dormant Windows viruses that someone sent me in emails... but it's good to know that.

chkrootkit – This is a common tool available throught Linux distributions.  It looks for a number of common exploits and reports issues.

rkhunter – another popular root kit detector that was available through the Ubuntu repositories.  This tool works best if you install it onto a "clean" system, i.e. one that you know is uninfected.  Ideally you would set it up immediately after installing the operating system and let it initialize.  rkhunter looks for unexpected changes to system files and alerts you to possible mischief.

Of course, if you are serious about digging into root kit detection, you will want to look deeper than just running a tool.  Here is an excellent article on Symantec's web site: "Detecting Rootkits And Kernel-level Compromises In Linux" which goes into quite a bit of detail about the technical side of this sort of forensics.

Cyber attacks seem to be the way of the future.  No one is immune, but you can make yourself less of a target.  Some say that eternal vigilance is the price of freedom, and this probably goes for software too.

  • Add a Comment Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry
Notify Other People
notification

Send Email Notification

+

Quarantine this entry

deleteEntry
duplicateEntry

Mark as Duplicate

  • Previous Entry
  • Main
  • Next Entry
Feed for Blog Entries | Feed for Blog Comments | Feed for Comments for this Entry