Re: has chkrootkit caught a problem for anyone?

To: debian-isp@lists.debian.org
Subject: Re: has chkrootkit caught a problem for anyone?
From: Craig Sanders <cas@taz.net.au>
Date: Fri, 16 Dec 2005 14:39:19 +1100
Message-id: <[🔎] 20051216033919.GL9046@taz.net.au>
In-reply-to: <[🔎] 43A1C010.6050400@co.com.mx>
References: <[🔎] 43A1853D.1090208@thecsl.org> <[🔎] 20051215184342.GC10689@schiffbauer.lan> <[🔎] 43A1C010.6050400@co.com.mx>

On Thu, Dec 15, 2005 at 01:12:16PM -0600, alex wrote:
> Okay, another question about chkrootkit:
> Has anyone ever found a false positive with it?

yep.

1. having the slice package installed triggers a false positive for the
RH-Sharpe rootkit because slice contains /usr/bin/slice

2. having the libproc-dev package installed triggers a false positive
for the t0rn v8 rootkitC because libproc-dev contains /usr/lib/libproc.a

i've got used to ignoring these warnings over the years. AFAIK, both
these rootkits have been obsolete for several years anyway.

somebody suggested using rkhunter instead of chkrootkit. actually,
use both. they're both useful. remember, though, that there will be
occasional false positives (so, don't panic - just investigate your
system thoroughly) and also the occasional false negative (so don't
assume that because they haven't found anything that your system is
fine).

in other words, they're useful tools but they're not perfect and they're
not a replacement for a vigilant sysadmin. they can just help to automate
regular checks for known hazards.

one of the best tools for intrusion detection is tripwire. it's a minor
PITA in that you have to remember to update tripwire's database (and
type in your tripwire encryption password) every time you run an upgrade
or install new software or libraries or edit any monitored config files
but it WILL tell you when a file or program has been modified. well
worth the effort to learn and use it.

one more useful tip: most rootkits replace useful utilities like
netstat, ps, ls, and several others in order to hide their presence on
the system. it is a good idea to keep a copy of packages for these tools
somewhere convenient so that you can install them all with 'dpkg -iBE
*.deb'. after you've restored the genuine packages you can then find
out what hidden processes are on the system and what ports they are
listening on (if any) - so you can kill them. oh yeah, and check your
/etc/init.d/* and other bootup scripts for additions & modifications
- some rootkits will configure things so that they start up after a
reboot.  again, tripwire is useful here.

and finally - as well as tripwire, it's a good idea to use a revision
control system like RCS, CVS, or Subversion to keep track of all changes
to config files, init.d scripts, and so on. that way if one has been
changed by a script kiddie you get to see exactly what they changed and
revert it easily. it's also useful for minimising harm due to operator
error (i.e. if you screw up, it's easy to change back to the previous
working config).

craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to:

Follow-Ups:
- Re: has chkrootkit caught a problem for anyone?
  - From: Andreas Vent-Schmidt <a.vent@procommerz.de>

References:
- has chkrootkit caught a problem for anyone?
  - From: Dan MacNeil <dan@thecsl.org>
- Re: has chkrootkit caught a problem for anyone?
  - From: Marc Schiffbauer <marc@schiffbauer.net>
- Re: has chkrootkit caught a problem for anyone?
  - From: alex <alex@co.com.mx>

Prev by Date: Re: has chkrootkit caught a problem for anyone?
Next by Date: Re: monitoring servers
Previous by thread: Re: has chkrootkit caught a problem for anyone?
Next by thread: Re: has chkrootkit caught a problem for anyone?
Index(es):
- Date
- Thread