[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881 - conundrum

Osamu Aoki on 25/08/08 16:41, wrote:

On Thu, Aug 14, 2008 at 10:51:56PM +0100, Adam Hardy wrote:
Adam Hardy on 13/08/08 10:27, wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <adam.ant@cyberspaceroad.com>
The question is, what do I replace chkrootkit with, especially if stuff
like rkhunter's not much better?
tripwire maybe?

apt-cache show tripwire Description: file and directory integrity
checker Tripwire is a tool that aids system administrators and users
in monitoring a designated set of files for any changes.  Used with
system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage
control measures can be taken in a timely manner.
I don't have access to a floppy or cdrom drive - the server is hosted
somewhere at an ISP. I think any cracker would just re-run tripwire
if they found it installed.
The only suggestion so far is that I script a solution (or adapt existing ones).

Have you looked at harden-doc and its friends in archive.  (Many are
virtual packages to lead you to the good tools) tripwire is just one of
the tools.
I do not think you need to have CDROM to be sure and your quick
scripting may not come close to tripwire which protect itself with

Even for simple hush you do not need home made hush.  Have you looked
at debsum?  If a pakage is tampered, debsum gets updated and detectable.

Surely there's a package available that's made for people with 1 or 2 hosted servers that need a foolproof cracker alarm?

Are you saying package available is not good enough?

Looking through apt-cache search, there seem to be loads of nasty
packages available for people who might want to attack my server, but
not much that I can use to check whether I've been rooted.

I do not understand what is "nasty".

Anyway, all your answer is in harden-doc.

Also available on web as:

After reading up on this and thinking about the situation, I believe that it's not actually solveable for me.

As stated previously, I saw what was possibly a false alarm from chkrootkit recently on my webserver, hosted somewhere where I only have ssh access and definitely no physical access to provide a CD or any read-only media.

After the attack, I quickly realized that I have no definitive way of deciding if my system was rooted or not, and so I installed rkhunter. This provides a simple hash-based mechanism to create an image of the clean system (although I can't actually do that with the Etch version).

However even if I had been able to create the hashes on my system for rkhunter, they would have to be on read-write media, i.e. the system's local hard drive, and therefore could also be 'rooted' by the hacker, preventing rkhunter from identifying the attack.

I am not aware of an actual Debian package or indeed any program that can get around this simple conundrum.

After-the-attack identification of a rootkit attack, it seems, can always be compromised if there is no safe read-only hash or encryption of the known-good system binaries.


Reply to: