Any linux users here? I want some help with rkhunter results.

[alchemistParticipant 484]

Ran rkhunter as usual but got this result;

Warning: The file properties have changed:
         File: /usr/bin/ldd
         Current hash: 7e193a7e34656a73e85b88e0b8e0e81d66b67878
         Stored hash : e90c14c292bd796fbb1191fdf2ad41ffa820b2d4
         Current inode: 1585530    Stored inode: 1581256
         Current file modification time: 1490300326 (23-Mar-2017 20:18:46)
         Stored file modification time : 1464258616 (26-May-2016 11:30:16)

However, I think the modification date is before the last time I ran rkhunter, so I should have seen this the last time I ran it, but it didn’t show up.
Is there any way to find out when you last ran rkhunter? It doesn’t match up with any update times either, it was between the last two I did.

Also I tried reinstalling the package which /usr/bin/ldd is associated with (libc-bin) but the modification date of /usr/bin/ldd stayed the same despite re-installation.

What the f~~~’s going on here? Do I need to be concerned about a compromised system?

[Mr. SmithParticipant 686]

You can have a look in your shell history. Maybe this gives you some hints, but…

You need to go a few steps back to see the full picture. First, tools like rkhunter are fine, but not perfect. Sometimes things are missed, sometimes it shows things are not there. That’s also true for all other security related software like anti-virus etc. Don’t count on it, there are so many possibilities of failure and attack vectors to your system, no tool will ever be able to protect you from all threads. Security is not a product, it’s a process. This means not just the installation and use of a tool makes you safe, the whole process of handling a computer and it’s environment like network, physical access etc does.
In your case there is a sign of a possible intrusion and you have to investigate it. That’s what I am doing for a living and I can tell you it’s going to be hard. First you should shut down the system so in case it is infected it cannot do anymore damage. Next make a disk dump of the internal hard drives and work only with this dumps. In case there is something you have not changed the systems and it can be still evidence in a court of law. If you work directly on this system you maybe destroy evidence.
Another important point is, one cannot trust an infected system. If a system is compromised the attacker can show you whatever he wants. He can replace your security software, put it in a sandbox and many things more. That’s why you always have to check things from a clean systems.
Next step is to check the systems (always on the dumps, not the original system) integrity. You can check the operating systems files one by one by comparing the hashes of your system to the hashes provided by the manufacturer of your Linux. Usually you find it somewhere on the download-server. This can take a long time since a modern operating system contains easily tens of thousands of files. There are ways to speed this up, commercial and free tools.
After this you have to check proprietary files, like your data, scripts or programs you have written etc. This is not simple, since only you know what your programs do. Maybe you have a backup for comparison, but always remember the backup can be compromised, too. If the infection is older than your last backup you most likely also backuped the manipulated files.
You can also try to find out what’s going on by using a debugger. This needs a fundamental knowledge of computers and how they work. Strace should be available on all Linuxes, but there are others and again, there are commercial and free tools. What’s best depends on what you want to do and sometimes your personal preferences.

I could go on much further, but I think it would be boring for all others. Have a look at the Forensics Wiki (http://forensicswiki.org/wiki/Main_Page). This is a good starting point for beginners of IT forensics and even after more than 20 years in this business I am still looking things up frequently. You can also ask me if you have questions, of course.

"I need men, real men, men with balls, certainly not sissies. I would never ask them to take an enemy position, but I insist that they follow me to that position. If you are one of those men, raise your hand." Napoleon Bonaparte

[Guy MontagParticipant 72]

Just how paranoid do you want to be?

For the ultimate in paranoia, start out with Linux from Scratch and build your own system. Instead of having the root directory at ‘/’ move it off to something unusual like ‘/mgtow2017/alchemist/’ and build everything based on that being your root directory. Proceed to build the rest of the system out using the same configuration. This makes stack smashing and buffer overflows almost pointless since they can’t exec /bin/sh because it isn’t there anymore.

For a less paranoid approach, grab all of the essential OS tools (like ld, etc.) and rebuild them with ‘./configure –static’ so that they are statically built and do not require any external libraries. Then in your home directory make a ‘bin’ directory and load them all up in that directory. You don’t have to add ~/bin to your path unless you want. But they will always be there ready to be used if you start having doubts about the authenticity of your OS binaries. You can run the ones in /bin and compare them to the output of the ones in ~/bin. Then you’d know if something was fishy.

Alternatively, if you can program, you can add your own command line options to your OS binaries. That way when you want to check to see if it was still the original you can always run ‘/bin/bash –alchemist’ and if it prints out what you programmed it to, then you would be reasonably assured that it wasn’t modified or changed.

I guess it all just depends on how paranoid you want to be. “When in doubt, throw it out.”

---

“Over the course of the novel Farenheit 451, Guy Montag becomes increasingly disillusioned with the hedonistic, anti-intellectual society around him. Schools no longer teach the humanities, children are casually violent, and adults are constantly distracted by “seashells” (small audio devices resembling earbuds) and insipid television programs displayed on wall-sized screens.”

[alchemistParticipant 484]

Thanks very much for the info, I’m leaning towards the easier option of formatting and doing a clean install.

Feel free to go on much further 🙂 I totally understand that security is a process and rkhunter is fallible. It regularly gives me the same few false positives but this was anomalous.

[alchemistParticipant 484]

Guy Montag wrote:

Just how paranoid do you want to be?

For the ultimate in paranoia, start out with Linux from Scratch and build your own system. Instead of having the root directory at ‘/’ move it off to something unusual like ‘/mgtow2017/alchemist/’ and build everything based on that being your root directory.

I’m really interested in that! How do you go about doing that? Wouldn’t that cause problems for other programs trying to execute or find files from the original root directory?
I’m a little bit of a newbie with linux, or rather, I’ve been using it for years but only know enough to make it work and learning more is/was a REALLY low priority.

[Guy MontagParticipant 72]

I’m really interested in that! How do you go about doing that? Wouldn’t that cause problems for other programs trying to execute or find files from the original root directory?
I’m a little bit of a newbie with linux, or rather, I’ve been using it for years but only know enough to make it work and learning more is/was a REALLY low priority.

No because you will be rebuilding EVERYTHING to use the new directory. Bill Cheswick of AT&T Labs used to do that for every internet facing UNIX system that AT&T owned. He had created a build script that would rebuild everything based on the new specified location so that every time he deployed a Internet facing UNIX system it would have a different root directory. You can do the same but it would take some time. Check out some of Bill Cheswick’s books on Internet Security for other ideas.

[Author]

Posts