> On Sat, 2003-03-15 at 06:04, David H. Clymer wrote: > > I just ran chkrootkit,and it at one point, indicates that I may have an > > LKM rootkit installed on my box (see output below). I then downloaded > > and installed sash, and when I run chkrootkit as sashroot, It doesnt > > detect anything (also see output below). Which should I believe? Is > > there any way to determine if there is indeed a LKM rootkit installed > > without downtime (or at least a minimum). This box serves as mailserver > > for approximatly 600 users, has no backup or secondary server (all very > > bad things, i know, but cash is very, very short) and is administered > > remotely, so and taking it down, wiping/reinstalling, is not an option > > at this point. > > I had a similar scare with chkrootkit when I first started using it. It > turns out that it can occasionally give "false positives". Something to > do with processes completing and vanishing in the middle of checking if > processes are trying to hide themselves. >
Once you are content that you are not rooted (and I don't have an opinion on that), there are some measure you can take for hardening. 1. Install bastille linux. It's not a Linux distro, it's a hardening toolkit. 2. Install, setup, learn and use some software such as tripwire, that you can use to see whether there are unauthorised changes to system files. 3. Consider mounting /usr ro. One way that appeals to me, but I've no actually tried it, is to make an ISO of it and mount it on loopback. If you can have / ro, so much the better. 4. Make sure that writable partitions are mounted noexec. If someone breaks, say Apache as was a possibility a few months ago, you don't want them running their cracker kit on your box. Note that this is not perfect, '/bin/bash -c "source ./kit"' can still do some damage. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
