Rootkits happen. Are you paying attention?
cmw.osdude 120000QT77 Visits (2836)
I caught an article today: "Linux users targeted by mystery drive-by rootkit". I stand by my believe that Linux is the most secure environment that I have used and I enjoy the freedom from many of the security issues that friends experience. However, it would be ridiculous to imagine that Linux–or any environment–is immune from attack.
You probably already know the security basics. Don't hang out at weird websites and let anything and everything run. Use things like Adblocker in Firefox to help cut out little scripts and things that you don't want to run. When things pop up saying would you like to install or run something that you don't understand, don't click "Yes". How do you know you're OK, though?
First, pay attention! You can tell when your system is not behaving normally. When the network seems clogged or processes start getting chunky that could be a sign that things are running on your system that you don't know about. Don't ignore that. Do something about it.
The first step is to look at the processes that are running. In Linux a basic ps -aux will give you information about what is running. If you tinker a lot, like I do, you may bet all kinds of things turned on when you installed them to play with them. The other day I noticed that I had a web server and two database servers that had been left active after playing around with them. Often when you install that kind of software it will set itself to automatically start. These are the kinds of things that can create danger for you if you don't realize they are running.
For seeing how the system resources are running, top is a good quick check. It is a console-based system monitor that will show you what is using resources on your machine. Here's a sample:
top - 13:01:12 up 1 day, 4:05, 2 users, load average: 0.99, 1.15, 1.21 Tasks: 252 total, 2 running, 250 sleeping, 0 stopped, 0 zombie %Cpu(s): 16.0 us, 5.1 sy, 0.0 ni, 78.3 id, 0.6 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem: 8153336 total, 5683844 used, 2469492 free, 451072 buffers KiB Swap: 6377468 total, 0 used, 6377468 free, 2863488 cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3571 cmwalden 9 -11 107m 9296 7248 S 9.2 0.1 32:13.00 pulseaudio 29874 cmwalden 20 0 797m 203m 45m R 7.9 2.6 3:03.74 firefox 1532 root 20 0 112m 35m 9.8m S 7.8 0.5 23:30.32 Xorg 3525 cmwalden 20 0 56332 18m 10m S 2.9 0.2 8:26.86 python 3366 cmwalden 20 0 333m 85m 30m S 2.2 1.1 9:25.78 compiz 3515 cmwalden 20 0 642m 169m 69m S 1.9 2.1 3:29.92 sametime 10621 cmwalden 20 0 869m 265m 41m S 1.5 3.3 11:18.62 firefox 12338 cmwalden 20 0 228m 51m 20m S 1.4 0.6 3:12.04 plugin-containe 18109 cmwalden 20 0 171m 16m 11m S 0.8 0.2 0:01.28 gnome-terminal 10588 cmwalden 20 0 852m 348m 40m S 0.8 4.4 7:38.09 thunderbird 12488 cmwalden 20 0 568m 151m 79m S 0.8 1.9 2:17.30 lnotes 12547 cmwalden 20 0 180m 23m 14m S 0.8 0.3 1:42.51 vpnui 12510 cmwalden 20 0 745m 186m 72m S 0.6 2.3 2:21.86 notes2 1388 mongodb 20 0 92660 13m 5116 S 0.6 0.2 1:46.26 mongod 3918 cmwalden 20 0 223m 53m 11m S 0.5 0.7 0:32.94 unity-panel-ser 14292 cmwalden 20 0 120m 48m 27m S 0.2 0.6 2:21.84 taskldr 17690 root 20 0 0 0 0 S 0.2 0.0 0:01.02 kworker/0:1
Based on my snapshot my audio and firefox are the biggest pgs. I also note that I have mongod running, which is a database enging that I thought I had disabled. It may be that something is using it, or I may not have shut it off correctly. I need to look into that. As a "basic user" I probably don't need to know about all of these processes... but as a "technical user" I really should understand them, at least well enough to know that they are normal.
Dealing with root kits and other nasties
Keeping an eye on all of your running processes is probably not what you want to do. It's good to know that you can spot check with things are misbehaving, but you want to be proactive and stop things before they start. Here are a few things that might help.
Clam Antivirus — Clam was the first anti-virus software that I discovered for Linux. It runs on othe rplatforms as well and seems to be pretty good stuff. Clam does what any intivirus system does. It scans files and compares them with signatures of known viruses. Of course, the value is only as good as the definitions. Clam definitions seem to be updated pretty regularly and it's easy to automate the process. At the very least you should have something like this available. Admitedly, the only virus files that I've ever found with this have been dormant Windows viruses that someone sent me in emails... but it's good to know that.
chkrootkit – This is a common tool available throught Linux distributions. It looks for a number of common exploits and reports issues.
rkhunter – another popular root kit detector that was available through the Ubuntu repositories. This tool works best if you install it onto a "clean" system, i.e. one that you know is uninfected. Ideally you would set it up immediately after installing the operating system and let it initialize. rkhunter looks for unexpected changes to system files and alerts you to possible mischief.
Of course, if you are serious about digging into root kit detection, you will want to look deeper than just running a tool. Here is an excellent article on Symantec's web site: "Detecting Rootkits And Kernel-level Compromises In Linux" which goes into quite a bit of detail about the technical side of this sort of forensics.
Cyber attacks seem to be the way of the future. No one is immune, but you can make yourself less of a target. Some say that eternal vigilance is the price of freedom, and this probably goes for software too.