Re: chkrootkit infected ports 2881 - conundrum
Adam Hardy escreveu:
After the attack, I quickly realized that I have no definitive way of
deciding if my system was rooted or not, and so I installed rkhunter.
This provides a simple hash-based mechanism to create an image of the
clean system (although I can't actually do that with the Etch version).
However even if I had been able to create the hashes on my system for
rkhunter, they would have to be on read-write media, i.e. the system's
local hard drive, and therefore could also be 'rooted' by the hacker,
preventing rkhunter from identifying the attack.
I am not aware of an actual Debian package or indeed any program that
can get around this simple conundrum.
After-the-attack identification of a rootkit attack, it seems, can
always be compromised if there is no safe read-only hash or encryption
of the known-good system binaries.
Unfortunately, I think that if you do not have physical access to the
machine, this problem is (at least theoretically) unsolveable.
The checksums must be created when the system is in a known good state,
preferably just after system installation, and stored somewhere else.
With physical access, you can burn them on a CD. Without that, the
machine must be connected to the network for the installation of
packages, checksum generation and final transfer of the checksum file to
another machine. In theory there could be an attack during that time,
and you could end up with a file with false checksums, but the attacker
must be able to use that time opportunity, and since you only need a ssh
server, I'd say it's quite unlikely that the checksum file is someway
The biggest problem is in verification time. If you have physical
access, you can boot a Live-CD and run the checkum verification with a
program that is known to be good. However, without physical access,
you'd have to resort to checking the system as it is, that is, in a
possibly infected state. And in this case, you'd end up using the
checksum program that is in the system, which could be modified to hide
the rootkit, and you'd not find the infection.
There are ways to try to circumvent that (such as copying a statically
linked checksum program and using that instead of the system one), but
if the rootkit is running, it could, at least in theory, hide itself,
for example by intercepting system calls that read infected files and
returning instead data corresponding to a good file.
The only way to be completely sure that you are getting reliable results
is to run the verification when the rootkit could not be running - and
this requires you booting in another system via a Live CD, or removing
the HD, installing it in another machine and booting that second
machine, for example. Both cases require physical access.