kernel.org status: hints on how to check your machine for intrusion
| From: | Greg KH <greg-AT-kroah.com> | |
| To: | Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org> | |
| Subject: | kernel.org status: hints on how to check your machine for intrusion | |
| Date: | Fri, 30 Sep 2011 16:59:24 -0700 | |
| Message-ID: | <20110930235924.GA25176@kroah.com> | |
| Archive‑link: | Article |
The compromise of kernel.org and related machines has made it clear that some developers, at least, have had their systems penetrated. As we seek to secure our infrastructure, it is imperative that nobody falls victim to the belief that it cannot happen to them. We all need to check our systems for intrusions. Here are some helpful hints as proposed by a number of developers on how to check to see if your Linux machine might be infected with something: 0. One way to be sure that your system is not compromised is to simply do a clean install; we can all benefit from a new start sometimes. Before reinstalling any systems, though, consider following the steps below to learn if your system has been hit or not. 1. Install the chkrootkit package from your distro repository and see if it reports anything. If your distro doesn't have the chkroot package, download it from: http://www.chkrootkit.org/ Another tool is the ossec-rootcheck tool which can be found at: http://www.ossec.net/main/rootcheck And another one is the rkhunter program: http://www.rootkit.nl/projects/rootkit_hunter.html [Note, this tool has the tendancy to give false-positives on some Debian boxes, please read /usr/share/doc/rkhunter/README.Debian.gz if you run this on a Debian machine] 2. Verify that your package signatures match what your package manager thinks they are. To do this on a rpm-based system, run the following command: rpm --verify --all Please read the rpm man page for information on how to interpret the output of this command. To do this on a Debian based system, run the following bash snippet: dpkg -l \*|while read s n rest; do if [ "$s" == "ii" ]; then echo $n; fi; done > ~/tmp.txt for f in `cat ~/tmp.txt`; do debsums -s -a $f; done If you have a source-based system (Gentoo, LFS, etc.) you presumably know what you are doing already. 3. Verify that your packages are really signed with the distro's keys. Here's a bash snippet that can do this on a rpm based system to verify that the packages are signed with any key, not necessarily your distro's key. That exercise is left for the reader: for package in `rpm -qa`; do sig=`rpm -q --qf '%{SIGPGP:pgpsig}\n' $package` if [ -z "$sig" ] ; then # check if there is a GPG key, not a PGP one sig=`rpm -q --qf '%{SIGGPG:pgpsig}\n' $package` if [ -z "$sig" ] ; then echo "$package does not have a signature!!!" fi fi done Unfortunately there is no known way of verifying this on Debian-based systems. 4. To replace a package that you find suspect, uninstall it and install it anew from your distro. For example, if you want to reinstall the ssh daemon, you would do: $ /etc/init.d/sshd stop rpm -e openssh zypper install openssh # for openSUSE based systems yum install openssh # for Fedora based systems Ideally do this from a live cdrom boot, using the 'rpm --root' option to point rpm at the correct location. 5. From a liveCD environment, look for traces such as: a. Rogue startup scripts in /etc/rc*.d and equivalent directories. b. Strange directories in /usr/share that do not belong to a package. This can be checked on an rpm system with the following bash snippet: for file in `find /usr/share/`; do package=`rpm -qf -- ${file} | grep "is not owned"` if [ -n "$package" ] ; then echo "weird file ${file}, please check this out" fi done 6. Look for mysterious log messages, such as: a. Unexpected logins in wtmp and /var/log/secure*, quite possibly from legitimate users from unexpected hosts. b. Any program trying to touch /dev/mem. c. References to strange (non-text) ssh version strings in /var/log/secure*. These do not necessarily indicate *successful* breakins, but they indicate *attempted* breakins which means your system or IP address has been targeted. 7. If any of the above steps show possible signs of compromise, you should investigate further and identify the actual cause. If it becomes clear that the system has indeed been compromised, you should certainly reinstall the system from the beginning, and change your credentials on all machines that this machine would have had access to, or which you connected to through this machine. You will need to check your other systems carefully, and you should almost certainly notify the administrators of other systems to which you have access. Finally, please note that these hints are not guaranteed to turn up signs of a compromised systems. There are a lot of attackers out there; some of them are rather more sophisticated than others. You should always be on the alert for any sort of unexpected behavior from the systems you work with. thanks, greg k-h
Posted Oct 1, 2011 2:24 UTC (Sat)
by cesarb (subscriber, #6266)
[Link] (6 responses)
(For me, it also had false positives apparently due to btrfs root, and rkhunter had a false positive due to "/sbin/hdparm -B 254 /dev/sda" on /etc/rc.local)
Posted Oct 1, 2011 4:49 UTC (Sat)
by jcm (subscriber, #18262)
[Link] (5 responses)
Posted Oct 1, 2011 12:59 UTC (Sat)
by nix (subscriber, #2304)
[Link] (3 responses)
Posted Oct 3, 2011 1:29 UTC (Mon)
by drag (guest, #31333)
[Link] (2 responses)
That sort of reality is why the advice given in the email is misleading and can actually make the problem worse.
If anybody suspects compromises then the ONLY way to be sure is to reinstall from scratch.
THAT IS THE ONLY WAY.
The stupid hat tricks like rpm database verify and chrootkit scripts are just mickey mouse stuff. If you are dealing with a guy that is lazy or a inexperienced script kiddy then they MAY, if your lucky, actually find something suspicious.
A word to the wise:
IF at any point you have suspicions about a system compromise do NOT follow the advice in that email.
JUST REINSTALL.
choose all new passwords and JUST REINSTALL from scratch.
You are doing yourself a HUGE favour if you just do that. You will save yourself SOOOOO much time and effort that it's not even funny.
If you think that trying to track down a attacker and cleaning your system out is going to save you time you are utterly deluding yourself. You do not understand the scope of the problem you are facing.
If you want to play detective and try to track down the source of the compromise, then that is fine, but never trust that system image again. Just make a copy of the file system using DD or buy entirely new hard drives or something. Don't try to put it back into production.
--------------
on a side note:
The only reliable, and feasible (with budget and time constraints) way to recover a system that is compromised without reinstalling is for you to maintain a database of file system checksums on separate (preferably read-only) media that is generated from a separate offline system or live CD.
That is you must have doing this BEFORE HAND. You must of booted up on a live CD or stuck the drive into a machine that is not on any network and then generated a checksum of each and every file on the system BEFORE the time period you suspect your system was compromised.
Then to recover you boot your system up on a live cd (or whatever) and then compare the last known good sets of checksums against the current. When you find discrepancies you must go through and check every file that is not properly accounted for by the checksum compare.
If you do not have the time to do that, or you did not generate a known good set of checksums, then the safest and quickest way is to reinstall.
Posted Oct 3, 2011 8:36 UTC (Mon)
by misiu_mp (guest, #41936)
[Link] (1 responses)
Posted Oct 10, 2011 0:24 UTC (Mon)
by jamesh (guest, #1159)
[Link]
Posted Oct 4, 2011 11:40 UTC (Tue)
by rwmj (subscriber, #5474)
[Link]
Posted Oct 4, 2011 11:31 UTC (Tue)
by RomLWN (guest, #80615)
[Link] (5 responses)
- with chkrootkit I see :
I'm not sure I understand what to do with it ? I looked at the wtmp log but couldn't see a clear link between the two ?
- with rpm --verify --all :
What does it mean ?
- in the /var/log/secure log files I have this recurrent message :
Thanks !
Posted Oct 4, 2011 14:24 UTC (Tue)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Oct 5, 2011 9:04 UTC (Wed)
by RomLWN (guest, #80615)
[Link]
Posted Oct 4, 2011 22:24 UTC (Tue)
by nls (guest, #80623)
[Link] (2 responses)
I use Fedora 15. I have two other systems running Fedora 14 which do not indicate deletions from wtmp.
I think this problem may be a bug. A search of my logs did not indicate any funny business (intrusion). I did find a very strong correlation between the time of the deletions and shutting down the system.
I compared the times of the "deletion(s)" and the /var/log/message* files by greping the rsyslogd messages associated with shutdown.
$ su -c "grep rsyslogd /var/log/messages | grep exiting"
I would be very interested if you were to find the same correlation.
I think there may be corruption at the end of wtmp at shutdown.
It makes no sense to me for a bad-hacker to try to cover his tracks at shutdown.
Posted Oct 5, 2011 17:22 UTC (Wed)
by nls (guest, #80623)
[Link] (1 responses)
Checking `wted'... 5 deletion(s) between Wed Oct 5 12:43:57 2011 and Wed Oct 5 12:44:09 2011
[admin@opusrex ~]$ su -c "grep rsyslogd /var/log/messages | grep exiting"
I will report bug to Fedora.
Posted Oct 6, 2011 9:46 UTC (Thu)
by jwakely (subscriber, #60262)
[Link]
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
Checking `wted'... 5 deletion(s) between Tue Aug 23 00:55:11 2011 and Tue Aug 23 00:55:15 2011
5 deletion(s) between Tue Aug 23 12:27:36 2011 and Tue Aug 23 12:27:50 2011
5 deletion(s) between Tue Aug 23 19:36:44 2011 and Wed Aug 24 01:39:22 2011
etc...
I have a few messages like :
prelink: /usr/lib/libtelepathy-farsight.so.0.1.3: at least one of file's dependencies has changed since prelinking
polkitd(authority=local): Unregistered Authentication Agent for unix-session
:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.69, object path /org/freedesktop/PolicyKi
t1/AuthenticationAgent, locale en_US.utf8) (disconnected from bus)
I tried to find what does it mean but failed... ?
kernel.org status: hints on how to check your machine for intrusion
- with rpm --verify --all :
I have a few messages like :
prelink: /usr/lib/libtelepathy-farsight.so.0.1.3: at least one of file's dependencies has changed since prelinking
What does it mean ?
prelink modifies binaries, so rpm --verify has to ask prelink to give it back the SHA-1-sum before such modification. prelink emits these messages when it's run on an executable or shared library which had a dependent library change underneath it since it was last prelinked. It's a sign that prelinking is ineffective for this library, and is not a sign of any sort of security problem. It's probably just that you run prelink at regular intervals out of cron, and updated some packages since the last run.
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
kernel.org status: hints on how to check your machine for intrusion
Password:
Oct 5 12:44:06 opusrex rsyslogd: [origin software="rsyslogd" swVersion="5.8.5" x-pid="1023" x-info="http://www.rsyslog.com"] exiting on signal 15.
kernel.org status: hints on how to check your machine for intrusion