Re: have I been rooted?

[debian@computerdatasafe.com.au]

> On Sat, 2003-03-15 at 06:04, David H. Clymer wrote:
> > I just ran chkrootkit,and it at one point, indicates that I may have an
> > LKM rootkit installed on my box (see output below). I then downloaded
> > and installed sash, and when I run chkrootkit as sashroot, It doesnt
> > detect anything (also see output below). Which should I believe? Is
> > there any way to determine if there is indeed a LKM rootkit installed
> > without downtime (or at least a minimum). This box serves as mailserver
> > for approximatly 600 users, has no backup or secondary server (all very
> > bad things, i know, but cash is very, very short) and is administered
> > remotely, so and taking it down, wiping/reinstalling, is not an option
> > at this point. 
> 
> I had a similar scare with chkrootkit when I first started using it. It
> turns out that it can occasionally give "false positives". Something to
> do with processes completing and vanishing in the middle of checking if
> processes are trying to hide themselves.
> 


Once you are content that you are not rooted (and I don't have an opinion on 
that), there are some measure you can take for hardening.

1. Install bastille linux. It's not a Linux distro, it's a hardening toolkit.
2. Install, setup, learn and use some software such as tripwire, that you can 
use to see whether there are unauthorised changes to system files.
3. Consider mounting /usr ro. One way that appeals to me, but I've no actually 
tried it, is to make an ISO of it and mount it on loopback. If you can have / 
ro, so much the better.
4. Make sure that writable partitions are mounted noexec. If someone breaks, 
say Apache as was a possibility a few months ago, you don't want them running 
their cracker kit on your box. Note that this is not perfect, '/bin/bash -c 
"source ./kit"' can still do some damage.