jeudi 22 avril 2010

basics 8 - tutorial protect against Linux rootkits

Rootkits are malwares installed inside the OS. They are difficult to detect and delete. Some tools can help. This tutorial deals with anti rootkits programs. Issues that will be addressed (source Wikipedia [21]):
  • integrity control,
  • signature detection,
  • hidden objects search.
These methods could be supplemented with call system, logs, and anormal flows analysis.
French version available on the site.

Integrity control

The integrity control consist in the creation of a signatures database of clean files. The controler compares the system with this database. Any modification is detected. Raid and Tripwire are both useful.



We assume that client linux is healthy.
client_linux$ sudo apt-get install tripwire
During installation, define the key of the site and the local database key. Chose for these two passwords :
Edit file /etc/tripwire/twcfg.txt
client_linux$ sudo gedit /etc/tripwire/twcfg.txt

ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/usr/bin/vi
SMTPHOST =localhost
Edit file /etc/tripwire/twpol.txt
client_linux$ gedit /etc/tripwire/twpol.txt
# Standard Debian Tripwire configuration
# This configuration covers the contents of all 'Essential: yes'
# packages along with any packages necessary for access to an internet
# or system availability, e.g. name services, mail services, PCMCIA
# support, RAID support, and backup/restore support.
These two files are needed to configurate tripwire. After having modified user policies:
client_linux$ cd /etc/tripwire
client_linux /etc/tripwire$ sudo twadmin --create-polfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
Save files .txt in the directory /etc/tripwire to a removable media and delete them (use wipe).
client_linux$ sudo apt-get install wipe
client_linux$ cp /etc/tripwire/*.txt /mnt/mon_support_amovible/tripwire
client_linux$ sudo wipe -fqr /etc/tripwire/*.txt
Files tw.cfg and tw.pol are encrypted and signed versions of theses files. Change their rights (root):
client_linux$ sudo chmod 0600 tw.cfg tw.pol

initialise database

client_linux$ sudo tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/HOSTNAME-local.key

Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /proc/13501/task/13501/fdinfo/4
### Aucun fichier ou dossier de ce type
### Continuing...
The object: "/proc/fs/vmblock/mountPoint" is on a different file system...ignoring.
The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/PK67.twd
The database was successfully generated.

Check files integrity

client_linux$ sudo tripwire –check


install Aide

Be root:
client_linux$ sudo passwd
client_linux$ su -
install Aide
client_linux# apt-get install aide

initialise database

initialise database (it can take a bit of time)
client_linux# touch /var/lib/aide/aide.db
client_linux# aideinit

Overwrite existing /var/lib/aide/ [Yn]? Y
Running aide --init...
lstat() failed for /home/utilisateur/.gvfs:Permission denied

AIDE, version 0.13.1

### AIDE database at /var/lib/aide/ initialized.

Overwrite /var/lib/aide/aide.db [yN]? Y
save database and aide.conf on a removable media
client_linux# cp /var/lib/aide.db /mnt/mon_support_amovible/aide
client_linux# cp /etc/aide/aide.conf /mnt/mon_support_amovible/aide

check files integrity

Use the database previously saved on your removable media:
client_linux# cp /mnt/mon_support_amovible/aide/aide.db /var/lib/aide/aide.db
client_linux# cp /mnt/mon_support_amovible/aide/aide.conf /etc/aide/aide.conf
client_linux# aide --check

update database

update the database and save it again.
client_linux# aide –update
client_linux# cp /mnt/mon_support_amovible/aide/aide.db /var/lib/aide/aide.db
client_linux# cp /mnt/mon_support_amovible/aide/aide.conf /etc/aide/aide.conf

simulate the compromission of a system file

Simulate the behavior of a rootkit: modify /bin/login:

save /bin/login
client_linux$ sudo mkdir /bin/backup
[sudo] password for utilisateur:
client_linux$ sudo cp /bin/login /bin/backup/login
Modify the creation date of /bin/backup/login with /bin/login 's one:
client_linux$ sudo touch -r /bin/login /bin/backup/login
client_linux$ ls -F --full-time /bin/backup/login
-rwxr-xr-x 1 root root 43352 2009-07-31 15:55:36.000000000 +0200 /bin/backup/login*
Create a new file ./login:
client_linux$ echo "deleted" > ./login
replace /bin/login by ./login and modify its creation date:
client_linux$ sudo cp ./login /bin/login
client_linux$ ls -F --full-time /bin/login
-rwxr-xr-x 1 root root 8 2010-03-18 17:06:06.291331679 +0100 /bin/login*
client_linux$ sudo touch -r /bin/backup/login /bin/login
client_linux$ ls -F --full-time /bin/login
-rwxr-xr-x 1 root root 8 2009-07-31 15:55:36.000000000 +0200 /bin/login*
Now, check if tripwire detected the changes:
client_linux$ sudo tripwire –check > ./result.log
client_linux$ gedit ./result.log
Rule Name: Root file-system executables (/bin)
Severity Level: 100


Tripwire well detected the modification.

signatures detection

The signature detection is the common technique used by antivirus. Two tools can use it against rootkits: chkrootkit, rkhunter


client_linux$ sudo apt-get install chkrootkit
client_linux$ sudo chkrootkit


client_linux$sudo apt-get install rkhunter
client_linux$ sudo rkhunter --update
client_linux$ sudo rkhunter -c –pkgmgr DPKG

search for hidden objects

A tool to search for hidden process in Linux: unhide

client_linux$ sudo apt-get install unhide
client_linux$ unhide proc
Unhide 20080519

[*]Searching for Hidden processes through /proc scanning

client_linux$ unhide sys
Unhide 20080519

[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning

client_linux$ unhide brute
Unhide 20080519

[*]Starting scanning using brute force against PIDS

To list not masked processes:
client_linux$ ps -e -o"%p %P %U %c"
1 0 root init


21) Wikipedia - rootkits -
22) Maurice Libes - club Linux Nord Pas de Calais – Utiliser Linux... oui mais pas les yeux fermés -
23) tutoriel tripwire -
24) code source de DR Rootkit -
25) HSC aide -

Aucun commentaire:

Enregistrer un commentaire