Detecting Rootkits In GNU/Linux

An anonymous reader sends note of a blog post on rootkit detection in GNU/Linux. The article mentions only two utilities for ferreting out rootkits — the first comment to the blog post lists three additional ones — but it could be useful for those who haven't thought about the problem much. From the article: "A rootkit... is a collection of tools that a cracker installs on a victim's computer after gaining initial access. It generally consists of log cleaning scripts and trojaned replacements of core system utilities such as ps, top, ifconfig and so on."

ifl

[stoolpigeon (454276)]

I think that there is room to mention the well known tools such as AIDA and TripWire and LogCheck.

Re:ifl

[Moby Cock (771358)]

Most modern rootkits are kernel level and Trip Wire can not readily detect them. Nevertheless it is still useful to have at hand.

Re:ifl

[stoolpigeon (454276)]

i have no idea. i've never used any of them. this is a joke gone completely wrong. i just copied and pasted the comment from over at tfa. hence my subject: ifl (it's funny laugh). i figured it'd end up troll, over-rated, but i got such a laugh out of doing it (sorry i'm easily amused) that i figured it was worth it. in what is a horrid twist of fate, i now feel bad for getting modded up.

Re:ifl

[computational super (740265)]

You know, one of the things I'd like to do if I had more time and knew how to do it would be to create a bootable "system scan" disk. A rootkit could hide itself from tripwire et al, but it couldn't hide from a bootable CD. I guess you can sort of achieve the same effect with Knoppix with a bit of work, but it would be nice to have something that I could use to scan a machine for vulnerabilities without using the hard drive to boot at all.

Re:

[by Anonymous Coward]

Something like this [s-t-d.org]?

This is...

[Creepy Crawler (680178)]

For starters, why you do NOT keep any sort of compiler on your machine.

It's rather difficult to load kernel obfuscation modules (like hiding processes and files) without header files and no compiler.

It'd be even better if you could make every program execute only (no reading) and hide /proc through something like NSASecurity setup. What they dont know, they cant do much with. Obfuscation, THEN security. Keep em guessing.

Re:This is...

[Rosco P. Coltrane (209368)]

It's rather difficult to load kernel obfuscation modules (like hiding processes and files) without header files and no compiler.

I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!

Re:This is...

[seifried (12921)]

Does root have access to /proc/kcore? If yes then an attacker with root access can modify the kernel in memory as needed. Heck there's even projects to bring this into the mainstream for carrier grade Linux (no need for those pesky reboots after a kernel upgrade): http://pannus.sourceforge.net/ [sourceforge.net]

Re:This is...

[psycho8me (711330)]

That may have been true 30 years ago when a compiler license cost thousands. If a person has write access to your system, they can just copy a compiler binary over.

Re:

[gmack (197796)]

Point well taken, but I do wonder how often these kind of exploits actually happen in the wild on linux or on commercial unixen.

Often enough. Exploits will be written for any OS that has a decent return on investment time wise. These days that means both Windows and Linux. You could actually see this in when the better architected OpenSSH became the standard for most Linux distros the move to Linux brought a bunch of new eyes to go over the code and a bunch of exploits got discovered in a really short

Compiler is Irrelevant

[brunes69 (86786)]

It's pretty trivial to just deduce what kernel the machine is running and build working binaries wherever you want. In fact it would be preferred, since a sysadmin is far more likely to notice a rogue gcc process sucking up CPU than a file transfer while the rootkit is being loaded.

Anyway - if the person has root on the box (which they need to install the rootkit anyway), then they can just ship up THEIR OWN COMPILER if they want to regardless.

Re:

[novus ordo (843883)]

This [acm.org] is a good place to start. There are more ways to break into a house than there are doors.

Re:Compiler is Irrelevant

[profplump (309017)]

First, let me introduce you to the file command, which can tell me all about your arch. Or failing that, less, or any other program than can read any binary on your system. Your binary executables necessarily include information about their format, including their architecture.

spaceheater ~ 0$ file /bin/bash
/bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), not stripped

Second, why are you worried about compilers and version numbers if you're so sure people can't load modules anyway? What exactly are you trying to protect? There's something to be said for a minimalistic system, but you've yet to explain how having a compiler installed poses any sort of realistic security threat.

Finally, what's to keep someone from simply replacing your entire hand-complied, monolithic kernel? Even if you disable all the ways to do this without rebooting -- kexec() and /proc/kcore, probably among others -- they could always reboot the machine. Sure, you'd notice the reboot, but would you be able to detect their change after the reboot?

I'd also like to mention that OS-enforced append-only files are a poor substitute to logging to a hardware-enforced WORM drive, particularly if we're talking about rootkits. You're still fundamentally relaying on the OS to provide protection, which isn't reasonable when a rootkit has been installed.

Re:This is...

[diegocgteleline.es (653730)]

Real men and real hackers write their programs in binary code, not in stupid and bloated assembler.

Bruce Schneier

[BESTouff (531293)]

Bruce Schneier once wrote a kernel module just by cut'n'pasting 0s and 1s in an xterm.

More on http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

Re:

[Linker3000 (626634)]

Hey, AC, There's a guy on the phone for you - says he's from SCO and he'd like a quick word.

Re:

[Will2k_is_here (675262)]

Oh what's a Gentoo user to do?

Ah! No need for rootkit detector...

[Rosco P. Coltrane (209368)]

... with the Internet Freedom Disk [slashdot.org]!

Re:

[by Anonymous Coward]

... with the Internet Freedom Disk!

First it was "freedom fries," and now they've gone and corrupted what was once a perfectly fine Internet French Disk with their misplaced patriotism.

OSSEC HIDS

[magmf (748370)]

I PREFFER OSSEC HIDS to do this. look www.ossec.net i think this is the most powerfull agent ever :)

Pish Posh

[eno2001 (527078)]

It's GNU/Linux. Any hacker worth his salt doesn't want to bother with archaic OSes based on Unix. He wants the 1337 stylings of Windows Vista. No sense in rootkitting a *nix box. You can't do anything with a *nix box. But an army of zombie Vista PCs, now THAT is ULTIMATE POWER!

Yes, but...

[Darlantan (130471)]

You have your l33t ninja with his army of zombie Windows boxes... ...but how do they stack up to the *nix pirates, and their FTPs on the seven seas of the intarwebs? It's the classic clashes, modernized. Who has the REAL Ultimate Power?

Re:

[eno2001 (527078)]

You missed the point entirely. With the super smooth graphics of Vista on desktop supercomputers, the hacker will be able to impress his friends with wicked screenshots of the hacked desktop themes he forced on unwilling users. "Oh ho!! So you think the "X" close widget is on the upper right of your window do you? We'll fix that... I'll just dig into Raster's Enlightement theme library and put it in the middle of the bottom of the window and make it a black button on a black background"! The sheer beau

Read Only Drives

[DigitalRaptor (815681)]

I run Gentoo Linux servers for hosting email and websites, and have wanted a way to really secure the boxes.

Many hard drives have jumpers that make them read only.

I thought it would be great to have all of the rarely changed portions of the operating system on a separate drive set to read only.

The only time you would move the jumper to read-write would be when you were installing updates.

Things like: /tmp /var/log
etc

Would have to always be on a read-write drive.

But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc.

What do you think? Feasible or impractical?

Re:

[Ashtead (654610)]

I've seen CD-based distros that have / as read-only. That certainly is possible, and the Picotux 100 computers are also set up like that on delivery: a read-only / and a read-write /usr filesystem.

You probably want to make at least /tmp, /var, /home, /mnt, the swap space, and parts of /usr read-write. I am quite certain that this is possible.

Re:Read Only Drives

[chill (34294)]

Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.

If you have more than one machine, get a dedicated syslog server and send the logs from the other machines over to it. This way logs aren't on the main machines and it is much harder to compromise the audit trail.

For businesses, get something like a Trigeo appliance [trigeo.com] and keep an eye on the behavior of everything.

Make sure all your permissions/rules are based off the concept of "default deny, explicit allow".

You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!

  Charles

Re:

[DigitalRaptor (815681)]

Mounting the partition read only is easily overcome as soon as they have root. Change /etc/fstab, unmount, and remount and the partition is now read-write.

A dedicated syslog server is always a good idea if it fits the budget.

Re:Read Only Drives

[noahm (4459)]

Impractical, because it requires you to dedicate a drive to the stuff that can be mounted RO. Just mount the PARTITION read-only, instead.

# mount -o remount,rw /readonly/partition

So that won't help you...

You could also built a monolithic kernel and not allow modules at all. Kind of hard to insert a corrupt module if the kernel isn't modular!

That won't help either: http://doc.bughunter.net/rootkit-backdoor/kmem-pat ching.html [bughunter.net] Most modern kernel-level rootkits do not depend on the ability to dynamically load modules.

noah

Re:

[throx (42621)]

But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc. Ineffective and simply feel-good security.

If someone has root on your box (which is needed to install a rootkit) then they can just copy the read-only system to the writeable disk and mount it r/w. Now, given that they *already* know how to get root on the box then rebooting will clear whatever changes they made, but also put your system back into the configuration

Re:

[DigitalRaptor (815681)]

You're assuming that /etc/fstab is on the read-write disk. If it's on the read-only disk, they've accomplished nothing and your system is clean after a reboot.

Other things may be compromised, but your core OS would not be. And if other things are compromised, those things are more likely to be backed up and resurface after you restore the server.

Re:

[throx (42621)]

I'm not assuming anything is on a read-write disk. If the attacker is able to load arbitrary code into the kernel then it doesn't matter where /etc/fstab is - they can just rewrite the kernel at runtime to mount a disk without worrying about /etc/fstab.

Yes - your machine will be "clean" after a reboot, but because you've made it read only it will be vulnerable to whatever attack gave them root in the first place.

Any system - read/write or read only root drive can be reset to a known configuration with litt

Re:

[DigitalRaptor (815681)]

Regardless of the exploit used to gain root, how many of todays rootkits do you think don't require being able to write to some of the files that would be on the read-only drive.

Nothing will prevent all rootkits.

But having files (like /bin/login, a common one changed by rootkits) on a read-only drive may prevent many of the existing rootkits from doing damage or working at all.

If everyone were doing this and it were built into the distributions, then yes, rootkits would be written around this strategy. But

Re:

[DigitalRaptor (815681)]

Good question. I was always under the impression you could, though it would probably vary by vendor.

I was going to build a device that allowed me to switch between read-only and read-write remotely over TCP/IP or dial in (for servers in a data center).

This was 4 or 5 years ago and I was using Red Hat and security wasn't nearly as good (in any distribution).

I sleep better at night using hardened Gentoo, but if the read-only method were feasible I'd build it into my next server for sure and sleep even better

Re:

[computational super (740265)]

Yeah, there's a program you can run to flip them whenever you need to. I had to install it SUID root though.

suid?

[stoolpigeon (454276)]

is that like that software for making sandwiches?
 
i kid, i kid. i'm just an xkcd fanboy with too much time on his hands.

Re:

[Darlantan (130471)]

You'd want to be able to flip it on the fly for OS updates. Otherwise, you're looking at pretty routine downtime -- which may or may not be an issue for you.

Re:

[FlyingGuy (989135)]

This is where about $5.00 worth of parts and a soldering iron will help you out.

Most all chassis have at least ONE empty slot. Buy a simple miniature SPST toggle switch and some thin wire. Take a jumper and split it electricaly, then solder a wire to each jumper socket. Solder each end of the two wires to the pins on the toggle switch. Drill an approprate hole in the slot dust cover and mount the switch, or just feed the wires out and mount the switch on something close to the box. You now have on the

Re:

[turbidostato (878842)]

"Why would you want to flip it on the fly? I thought the parent thread's point was to get the OS setup and secured, and then hardware jumper it to read only"

Yeah, that's quite easy on a publicly exposed machine where almost weekly some security-concerning bug is found... specially talking about Gentoo as the OS of choice!

Re:Read Only Drives

[djh101010 (656795)]

Right, but now if you want to install a program or security update you have to power off, change jumper, power on, install, power off, reset jumper, power back on. This may or may not be worth it, particularily in the case of a security update.

Amazingly enough, I can draw on 25 year old experience on this one, sort of. Back in the early 1980s, I ran a BBS on a dialup TRS-80. The floppy drives, I put toggle switches on the front of so the read-only setting could be changed on the fly. So worst case, it'd be something you might be able to put an external switch for that jumper, outside the drive case. Maybe. Might blow up but at the time it worked great.

I like to leave this up to the FBI

[Timesprout (579035)]

When the dark suits turn up on my doorstep with an arrest warrant on charges of attempting to crack confidential government sites I can be pretty sure my machine has been rooted.

Re:

[computational super (740265)]

I always root my own boxes so that I can use that as an excuse if I ever get caught.

trojan the detector

[tkw954 (709413)]

Wouldn't the first step for a rootkit developer be to add rkhunter and chkrootkit to their list of trojaned programs so that they give a "no rootkit" output? Maybe there's some protection from this, but I don't see it in the article.

Re:trojan the detector

[sfjoe (470510)]

They can do that but, if you're like me, chkrootkit runs from a mounted CD-ROM. It's a little harder for them to trojan it that way.

I've always wondered...

[sootman (158191)]

How hard is it to build a basic but worthwhile rootkit detection tool with common tools? Like run `md5 /bin/*` and then ship the output of that to another machine every day for comparison to yesterday's output of that command? (Looking at other directories as well, of course.) My understanding is that many rootkits come with hacked versions of tools like 'ps' to hide themselves.

On the one hand, yeah, let's not reinvent the wheel, but on the other hand, there are advantages to building your own tools:
- you know exactly what they're doing--more complicated pre-existing tools might do more, but if you don't understand their output, they're no good.
- you don't have to trust*/audit someone else's code
- they don't do more than you need
- they don't have features that you don't know about or might misuse
- at the very least, it's a great way to learn

* yes, I know about this. [acm.org] but there are reasonable limits--I do trust that my distro came with a clean copy of gcc. OTOH, I'd rather write my own 20-line script that download someone else's that says it does the same thing as what I would write myself but that I'd have to audit for even the smallest things, like sneaking in an
if ($rooted="no")
instead of
if ($rooted=="no")

Re:

[rjstanford (69735)]

If (and I've never been paranoid enough to worry about it, so it is an "if") you care this much, you have to worry that they'd give you a new version of md5 as well. Sticking a known good version somewhere else under a different name is probably more than enough security there, though.

Better yet, add a random amount of crap onto your key binaries so that they're non-standard, then get checksums with some theoretically known-good checksummer. Keep an eye on them automatically, and every now and then get th

Meh, I don't trust those tools

[straponego (521991)]

I just eyeball /proc/kcore for anything suspicious every day or so.

You keep using that word...

[DCheesi (150068)]

"His passwd program has the same name as the real passwd program and works flawlessly in all respects except for the fact that it will also gather data residing on your machine such as the user details each time it is run and transmit it to a remote location or it will open a back door for outsiders by providing easy root access and all the time, you will be impervious about its actions."

...I don't think it means what you think it means.

http://www.answers.com/impervious&r=67 [answers.com]

chkrootkit

[joe 155 (937621)]

chkrootkit is good, I like it anyway, you can get it in Fedora Core 6 through yum (although you don't seem to be able to get rkhunter through yum any more). you have to run it as root, maybe its something about what it needs to access... anywho, you can get issues with false possitives, I just ran it and got;

Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
....
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.pack list

so I wouldn't worry too much if you see something that looks iffy before you check it out (I'd have been annoyed if I just reinstalled my OS just to find the same thing happening again). It will also show your ethnet port as being in "sniffer". Anywho, best practices can minimize the risk to pretty much 0... oh, but for God's sake PLEASE switch off remote root access on ssh over default ports, ideally switch it off altogether (If you need it please learn how to use it). Ssh coupled with an easily broken root password is the single biggest cause of rootkits... and a huge /var/log/secure!

Re:

[nuzak (959558)]

> Ssh coupled with an easily broken root password is the single biggest cause of rootkits

Which begs^H^H^H^Hdemands the question: why doesn't any distro install one of the many ssh brute-force prevention utilities out of the box? Some of them don't even need to look at logfiles, they're simply common-sense firewall rules.

Re:

[Guido von Guido (548827)]

I use "AllowGroups blah" in sshd_config. This prevents any account which is not in the blah group from logging in via ssh. This keeps root out (although I turn root logon off anyway, or set it to use SSH keys only), as well as any system accounts. The disadvantage is that it's slightly more trouble to maintain.