lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 30 Sep 2011 21:54:48 -0700
From:	Greg KH <greg@...ah.com>
To:	David Miller <davem@...emloft.net>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: kernel.org status: hints on how to check your machine for
 intrusion

On Fri, Sep 30, 2011 at 09:15:20PM -0400, David Miller wrote:
> From: Greg KH <greg@...ah.com>
> Date: Fri, 30 Sep 2011 16:59:24 -0700
> 
> > 1. Install the chkrootkit package from your distro repository and see if it
> >    reports anything.  If your distro doesn't have the chkroot package,
> >    download it from:
> > 	http://www.chkrootkit.org/
> > 
> >    Another tool is the ossec-rootcheck tool which can be found at:
> > 	http://www.ossec.net/main/rootcheck
> > 
> >    And another one is the rkhunter program:
> >    	http://www.rootkit.nl/projects/rootkit_hunter.html
> >    [Note, this tool has the tendancy to give false-positives on some
> >    Debian boxes, please read /usr/share/doc/rkhunter/README.Debian.gz if
> >    you run this on a Debian machine]
> 
> I quickly found that it gives false positives on Fedora15 too.
> 
> It thinks one is infected with Suckit.
> 
> It's check is essentially "strings /sbin/init | egrep HOME" which
> triggers with:
> 
> 	XDG_CONFIG_HOME
> 	XDG_DATA_HOME
> 	HOME=%s
> 
> I'm sure chkrootkit might be useful as a guide, but the seeming
> pervasiveness of it's false positives make it much less useful than it
> could be.

That's sad, but the combination of the three tools should give some
sense of what is going on if things are really valid or not, hopefully.

It was tough to write this in a way that would be applicable to the
large variety of systems we all use, so little differences like this
will happen.  Hopefully people take this as a guideline of things to do
to try to ensure the safety of a system.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ