Re: have I been rooted?
On Thu, 20 Mar 2003 02:43, [EMAIL PROTECTED] wrote: > 2. Install, setup, learn and use some software such as tripwire, that you > can use to see whether there are unauthorised changes to system files. Unless you run tripwire from bootable removable media that doesn't do much good. > 3. > Consider mounting /usr ro. One way that appeals to me, but I've no actually > tried it, is to make an ISO of it and mount it on loopback. If you can have > / ro, so much the better. If they crack root then they can mount it read-write. If you want it really read-only then consider using a CD-ROM. > 4. Make sure that writable partitions are mounted noexec. If someone > breaks, say Apache as was a possibility a few months ago, you don't want > them running their cracker kit on your box. Note that this is not perfect, > '/bin/bash -c "source ./kit"' can still do some damage. If you install SE Linux then you get much better control over your system. When Apache can't even see other processes or write to /tmp it makes such exploits much more difficult. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: have I been rooted?
On Thu, 20 Mar 2003 02:43, [EMAIL PROTECTED] wrote: > 2. Install, setup, learn and use some software such as tripwire, that you > can use to see whether there are unauthorised changes to system files. Unless you run tripwire from bootable removable media that doesn't do much good. > 3. > Consider mounting /usr ro. One way that appeals to me, but I've no actually > tried it, is to make an ISO of it and mount it on loopback. If you can have > / ro, so much the better. If they crack root then they can mount it read-write. If you want it really read-only then consider using a CD-ROM. > 4. Make sure that writable partitions are mounted noexec. If someone > breaks, say Apache as was a possibility a few months ago, you don't want > them running their cracker kit on your box. Note that this is not perfect, > '/bin/bash -c "source ./kit"' can still do some damage. If you install SE Linux then you get much better control over your system. When Apache can't even see other processes or write to /tmp it makes such exploits much more difficult. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: have I been rooted?
> On Sat, 2003-03-15 at 06:04, David H. Clymer wrote: > > I just ran chkrootkit,and it at one point, indicates that I may have an > > LKM rootkit installed on my box (see output below). I then downloaded > > and installed sash, and when I run chkrootkit as sashroot, It doesnt > > detect anything (also see output below). Which should I believe? Is > > there any way to determine if there is indeed a LKM rootkit installed > > without downtime (or at least a minimum). This box serves as mailserver > > for approximatly 600 users, has no backup or secondary server (all very > > bad things, i know, but cash is very, very short) and is administered > > remotely, so and taking it down, wiping/reinstalling, is not an option > > at this point. > > I had a similar scare with chkrootkit when I first started using it. It > turns out that it can occasionally give "false positives". Something to > do with processes completing and vanishing in the middle of checking if > processes are trying to hide themselves. > Once you are content that you are not rooted (and I don't have an opinion on that), there are some measure you can take for hardening. 1. Install bastille linux. It's not a Linux distro, it's a hardening toolkit. 2. Install, setup, learn and use some software such as tripwire, that you can use to see whether there are unauthorised changes to system files. 3. Consider mounting /usr ro. One way that appeals to me, but I've no actually tried it, is to make an ISO of it and mount it on loopback. If you can have / ro, so much the better. 4. Make sure that writable partitions are mounted noexec. If someone breaks, say Apache as was a possibility a few months ago, you don't want them running their cracker kit on your box. Note that this is not perfect, '/bin/bash -c "source ./kit"' can still do some damage.
Re: have I been rooted?
> On Sat, 2003-03-15 at 06:04, David H. Clymer wrote: > > I just ran chkrootkit,and it at one point, indicates that I may have an > > LKM rootkit installed on my box (see output below). I then downloaded > > and installed sash, and when I run chkrootkit as sashroot, It doesnt > > detect anything (also see output below). Which should I believe? Is > > there any way to determine if there is indeed a LKM rootkit installed > > without downtime (or at least a minimum). This box serves as mailserver > > for approximatly 600 users, has no backup or secondary server (all very > > bad things, i know, but cash is very, very short) and is administered > > remotely, so and taking it down, wiping/reinstalling, is not an option > > at this point. > > I had a similar scare with chkrootkit when I first started using it. It > turns out that it can occasionally give "false positives". Something to > do with processes completing and vanishing in the middle of checking if > processes are trying to hide themselves. > Once you are content that you are not rooted (and I don't have an opinion on that), there are some measure you can take for hardening. 1. Install bastille linux. It's not a Linux distro, it's a hardening toolkit. 2. Install, setup, learn and use some software such as tripwire, that you can use to see whether there are unauthorised changes to system files. 3. Consider mounting /usr ro. One way that appeals to me, but I've no actually tried it, is to make an ISO of it and mount it on loopback. If you can have / ro, so much the better. 4. Make sure that writable partitions are mounted noexec. If someone breaks, say Apache as was a possibility a few months ago, you don't want them running their cracker kit on your box. Note that this is not perfect, '/bin/bash -c "source ./kit"' can still do some damage. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: have I been rooted?
On Sat, 2003-03-15 at 06:04, David H. Clymer wrote: > I just ran chkrootkit,and it at one point, indicates that I may have an > LKM rootkit installed on my box (see output below). I then downloaded > and installed sash, and when I run chkrootkit as sashroot, It doesnt > detect anything (also see output below). Which should I believe? Is > there any way to determine if there is indeed a LKM rootkit installed > without downtime (or at least a minimum). This box serves as mailserver > for approximatly 600 users, has no backup or secondary server (all very > bad things, i know, but cash is very, very short) and is administered > remotely, so and taking it down, wiping/reinstalling, is not an option > at this point. I had a similar scare with chkrootkit when I first started using it. It turns out that it can occasionally give "false positives". Something to do with processes completing and vanishing in the middle of checking if processes are trying to hide themselves. This is documented somewhere... I did a google search and found something which explained this behaviour. -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key --
Re: have I been rooted?
On Sat, 2003-03-15 at 06:04, David H. Clymer wrote: > I just ran chkrootkit,and it at one point, indicates that I may have an > LKM rootkit installed on my box (see output below). I then downloaded > and installed sash, and when I run chkrootkit as sashroot, It doesnt > detect anything (also see output below). Which should I believe? Is > there any way to determine if there is indeed a LKM rootkit installed > without downtime (or at least a minimum). This box serves as mailserver > for approximatly 600 users, has no backup or secondary server (all very > bad things, i know, but cash is very, very short) and is administered > remotely, so and taking it down, wiping/reinstalling, is not an option > at this point. I had a similar scare with chkrootkit when I first started using it. It turns out that it can occasionally give "false positives". Something to do with processes completing and vanishing in the middle of checking if processes are trying to hide themselves. This is documented somewhere... I did a google search and found something which explained this behaviour. -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
