rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. [read more at http://en.wikipedia.org/wiki/Rootkit]

  • FaF (File Anomaly Finder) is a wrapper for the *nix 'find' utility. It generates audit reports for data matching specific characteristics; such data as setgid/setuid, unowned, and more. The objectives are simply to create a simple anomaly finder that identifies common flawed permissions or otherwise suspicious file system characteristics.

    The main features of FaF are:
    • simplistic and to the point audit reports
    • easy setup and configuration
    • audits emailed to customizable address or user
    • ideal for web servers or general purpose workstations
    • audits of setgid/setuid, hidden, unowned, & world writable data
    • very portable
     http://www.r-fx.org/faf.php # wget http://www.r-fx.ca/downloads/faf-current.tar.gz
    # tar xvf  faf-current.tar.gz

    # cd faf*
    # ./install.sh

    Install path:     /usr/local/faf/
    Config path:     /usr/local/faf/conf.faf
    Executable path: /usr/local/sbin/faf


    Why do you need such tool?
    Never trust anyone, including sometimes yourself ;-) this tool correctly used just insured You that You will never forget any files with too much permissions. It may also reveal a hacker, putting some new files under the user nobody...

    What to do with the output?

    You'll have to react differently for each occurrence in the report....

    SUID/SGID Binaries

    Sticky bit was used on executables in linux (which was used more often) so that they would remain in the memory more time after the initial execution, hoping they would be needed in the near future. But since today we have more sophisticated memory accessing techniques and the bottleneck related to primary memory is diminishing, the sticky bit is not used today for this. Instead, it is used on folders, to imply that a file or folder created inside a sticky bit-enabled folder could only be deleted by the creator itself. A nice implementation of sticky bit is the /tmp folder,where every user has write permission but only users who own a file can delete them. Remember files inside a folder which has write permission can be deleted even if the file doesn't have write permission. The sticky bit comes useful here.

    SUID or SetUID bit, the executable which has the SUID set runs with the ownership of the program owner. That is, if you own an executable, and another person issues the executable, then it runs with your permission and not his. The default is that a program runs with the ownership of the person executing the binary.

    Consider also reading:
    What are the SUID, SGID and the Sticky Bits?

    You can find them also manually by entering:
    # find / -type f \( -perm -04000 -o -perm -02000 \;
    The SGID bit is the same as of SUID, only the case is that it runs with the permission of the group. Another use is it can be set on folders,making nay files or folders created inside the SGID set folder to have a common group ownership.

    files in/srv  (http root folder)
       You should accept NO files with SUID/SGID in http root folder. Remove them all 
            # find /srv -type f \( -perm -04000 -o -perm -02000 \) -exec  chmod \;

    No Owner/Group
    May also be an indication an intruder has accessed your system...
    Can also be found manually by typing:
    # find / \( -nouser -o -nogroup \) -print
    files in/srv (http root folder)

    Permissions and ownership are linked together to make your server work peacefully. The basic idea is always to give the minimum rights to the file.

    A rule for thumbs would be:
    read only for all file, r--r--r-- or r---------
    read, execute for all directory r-xr-xr-xor r-x------
    The problem is that apache and PHP also run under their own user...

    A very informative article explaining the problem on a concrete example (Gallery2) can be found at  http://codex.gallery2.org/Gallery2:Security

    At least (worst),when apache run as wwwrun user in www group, in your HTTP directory
    # chown -R wwwrun .
    # chgrp  -R www .
    then all files has to be  rw- --- --- and directory r-x------
    Advantages:you can use Joomla! administrator panel
    BUT: any bug in PHP code, attack can read or overwrite any files! -> highly insecure

    Better would be for all files/dir in your HTTP directory to changes accordingly to the right web user!
    # chown -R cedric .
    # chgrp  -R psacln  .
    Change all files/directories that has to be written  by apache (cache directories) to
    # chown -R wwwrun cache
    # chgrp  -R www cache
    Advantages: a bug in apache/php, or attack can not touch any of your files.
    BUt: if PHP do not run under your user, the Joomla! panel wont be usable, as Apache/PHP wont be able to install any new components/images.

    Files in /must generally only be available to root
    # chown -R root /etc
    #chgrp  -R root /etc
    # find /etc -f -exec chmod 600 {} /;

    World Writable

    files in/srv
    must be avoid at any costs! This line remove the world writable bit to  all files in /srv
    # find /srv -f -exec chmod o-w {} /;
    This line remove the world writable bit to  all directories in /srv
    # find /srv -d -exec chmod o-w {} /;
    Files in /
    You should ignores /proc files, /dev files (hundreds of these are correctly world writable),
    Symbolic (soft) links (which should have mode 777), directories with the sticky (save text) bit on, and
    sockets, as that is relatively safe.
    Hidden Files/Paths

    You should normally have no such files! try to understand why (look in google), open them and/or move/delete them
  • chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the 'ps' command.
    Log to the server with ssh as root user

    Download 
    chkrootkit.
    # wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

    Unpack the chkrootkit you just downloaded.
    # tar xvzf chkrootkit.tar.gz

    go to that  directory
    # cd chkrootkit

    Compile
    # make sense

    Run
    # chkrootkit

     
    •Receive e-mail everyday with the result chkrootkit
    For Root user
    # crontab -e
    For any user
    # crontab -e -u username

    and add

    •0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c This email address is being protected from spambots. You need JavaScript enabled to view it.,This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.)

    * the correct path can be found with which chkrootkit
    This will run chkrootkit at 3:00 am every day, and e-mail the output to This email address is being protected from spambots. You need JavaScript enabled to view it. and copies to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

    False alarms:
     "Checking `bindshell'... INFECTED (PORTS: 465)" This is normal and  NOT really a rootkit.

    Nota
    If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....)

    Links
    chkrootkit
  • Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:
    • MD5 hash compare
    • Look for default files used by rootkits
    • Wrong file permissions for binaries
    • Look for suspected strings in LKM and KLD modules
    • Look for hidden files
    • Optional scan within plaintext and binary files
    Rootkit Hunter is released as GPL licensed project and free for everyone to use. # wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
    # tar -xzvf rkhunter-1.1.4.tar.gz
    # cd rkhunter
    # ./installer.sh


    Receive e-mail everyday with the result Rootkit Hunter
    For Root user
    # crontab -e
    For any user
    # crontab -e -u username

    and add

    •0 3 * * * (./usr/local/bin/rkhunter –checkall 2>&1 | mail -s "chkrootkit output" -c This email address is being protected from spambots. You need JavaScript enabled to view it.,This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.)

    * the correct path can be found with which rkhunter 
    This will run Rootkit Hunter at 3:00 am every day, and e-mail the output to This email address is being protected from spambots. You need JavaScript enabled to view it. and copies to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

    Nota
    If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....)

    Links

    http://www.rootkit.nl/projects/rootkit_hunter.html
  • A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits have their origin in benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. [WikiPedia]

    Rootkit scanner is scanning tool which scans for rootkits, backdoors and local exploits by running tests like:
    • MD5 hash compare
    • Look for default files used by rootkits
    • Wrong file permissions for binaries
    • Look for suspected strings in LKM and KLD modules
    • Look for hidden files
    • Optional scan within plaintext and binary files
    Rootkit Hunter is released as GPL licensed project and free for everyone to use. You can download it at
    http://www.rootkit.nl/projects/rootkit_hunter.html

    This tools is just a tar with a set of files inside. It is highly recommended to run it from a read only media to avoid hacker tampering attempts.  run
    # ./installer.sh
    then
    # rkhunter

    h790663:/var/www/vhosts/waltercedric.com/private # rkhunter

    Rootkit Hunter 1.2.9, Copyright 2003-2006, Michael Boelen

    Under active development by the Rootkit Hunter project team. For reporting
    bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net

    Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
    and you are welcome to redistribute it under the terms of the GNU General
    Public License. See LICENSE for details.


    Valid parameters:
    --checkall (-c)           : Check system
    --createlogfile <file>*   : Create logfile (file is optional, defaults to
                              : /var/log/rkhunter.log)
    --cronjob                 : Run as cronjob (removes colored layout)
    --display-logfile         : Show logfile at end of the output
    --help (-h)               : Show this help
    --nocolors*               : Don't use colors for output
    --report-mode*            : Don't show uninteresting information for reports
    --report-warnings-only*   : Show only warnings (lesser output than --report-mode,
                              : more than --quiet)
    --skip-application-check* : Don't run application version checks
    --skip-keypress (-sk)*    : Don't wait after every test (non-interactive)
    --quick*                  : Perform quick scan (instead of full scan)
    --quiet*                  : Be quiet (only show warnings)
    --update                  : Run update tool and check for database updates
    --version                 : Show version and quit
    --versioncheck            : Check for latest version

    --bindir <bindir>*        : Use <bindir> instead of using default binaries
    --configfile <file>*      : Use different configuration file
    --dbdir <dir>*            : Use <dbdir> as database directory
    --rootdir <rootdir>*      : Use <rootdir> instead of / (slash at end)
    --tmpdir <tempdir>*       : Use <tempdir> as temporary directory

    Explicit scan options:
    --allow-ssh-root-user*    : Allow usage of SSH root user login
    --disable-md5-check*      : Disable MD5 checks
    --disable-passwd-check*   : Disable passwd/group checks
    --scan-knownbad-files*    : Perform besides 'known good' check a 'known bad' check
    --check-deleted           : Perform 'deleted files' check
    --check-listen            : Perform 'listening applications' check

    Multiple parameters are allowed
    *) Parameter can only be used with other parameters



    False alarms:

    * Filesystem checks
       Checking /dev for suspicious files...                      [ OK ]
       Scanning for hidden files...                               [ Warning! ]
    ---------------
    /etc/.pwd.lock /dev/.udevdb
    ---------------
    Please inspect:  /dev/.udevdb (directory)


    /dev normally contains only device names and hence udev stores its private configuration information in a hidden directory. Rkhunter
    complains because rootkits are known to create such directories.
     
  • After Microsoft Warns of New Security Threat System monitoring programs, called rootkits, may pose a serious danger to your PC. it is time to see what offering is available to protect our PCs...

    A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows
    . [WikiPedia]

    The windows rootkit threat has never been so high as today: Rootkit creators turn professional
    All major antivirus software are now starting to provide solutions with more or less sucess:
    • SymantecHacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security.
    • Sysinternal is a company more known for his hacking or developer tool, but they have been the first to give away a free rootkit revealer and detection program.
    • F-Secure Corp has added rootkit-detection features to its product suite: F-secure Blacklist
    • MicrosoftStrider Ghostbuster is a future tool from the Giant.


    The only problem is that the only solution is to restore your system by using a "non corrupted" os version (the problem is to have enough backup)...

    Also do not forget to visit the biggest community (33 000 users) at www.rootkit.com


  • Microsoft security researchers are warning about a new generation of powerful system monitoring programs, or "rootkits," that are almost impossible to detect using current security products and that could pose a serious risk to corporations and individuals. More Here

    Rootkit replace some part of the kernel or programs in order to do operations in the background or avoid being compromise...As usual, they're a lot of malchance that windows get attack more often, since:
    • You are running as admin user or
    • M$ program isolation is a joke (sandboxing, user rights...).
    scary...
    Note: a tool to detect a lot of them under linux: chkrootkit, the version 0.44 is available under YaST Suse 9.2, to launch it simply type as root: chkrootkitafter installation...