Announcement

Collapse
No announcement yet.

Linux viruses -- everything you need to know!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #46
    Re: Linux viruses -- everything you need to know!

    Thanks to all the "Wise Old/Young Men/Women" who have added value to this thread, I have found it very helpful and instructive.

    My box sits behind a router with another desktop and a laptop connected via DCHP (all Linux Kubuntu systems except one box (partner's) which is dual-boot with a Win 7 partition so her young son can play some favourite games when visiting).

    I have two simple questions:-

    1. First Question.
    I installed rkhunter and ran "sudo rkhunter -c" and got a long printout showing that my box was safe, except for 2 warnings. The long log file (/var/log/rkhunter - accessed via sudo kate) showed all OK apart from the following final bit:-

    .........

    Performing system configuration file checks
    [11:18:15] Info: Starting test name 'system_configs'
    [11:18:15] Checking for SSH configuration file [ Found ]
    [11:18:15] Info: Found SSH configuration file: /etc/ssh/sshd_config
    [11:18:15] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
    [11:18:15] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
    [11:18:15] Checking if SSH root access is allowed [ Warning ]
    [11:18:15] Warning: The SSH and rkhunter configuration options should be the same:
    [11:18:15] SSH configuration option 'PermitRootLogin': yes
    [11:18:15] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
    [11:18:15] Checking if SSH protocol v1 is allowed [ Not allowed ]
    [11:18:15] Checking for running syslog daemon [ Found ]
    [11:18:15] Checking for syslog configuration file [ Found ]
    [11:18:15] Info: Found syslog configuration file: /etc/rsyslog.conf
    [11:18:15] Checking if syslog remote logging is allowed [ Not allowed ]
    [11:18:15]
    [11:18:15] Performing filesystem checks
    [11:18:15] Info: Starting test name 'filesystem'
    [11:18:15] Info: SCAN_MODE_DEV set to 'THOROUGH'
    [11:18:15] Checking /dev for suspicious file types [ None found ]
    [11:18:16] Checking for hidden files and directories [ Warning ]
    [11:18:16] Warning: Hidden directory found: /etc/.java
    [11:18:16] Warning: Hidden directory found: /dev/.udev
    [11:18:16] Warning: Hidden directory found: /dev/.initramfs
    [11:18:37]
    [11:18:37] Info: Test 'apps' disabled at users request.
    [11:18:37]
    [11:18:37] System checks summary
    [11:18:37] =====================
    [11:18:37]
    [11:18:37] File properties checks...
    [11:18:37] Files checked: 133
    [11:18:37] Suspect files: 0
    [11:18:37]
    [11:18:37] Rootkit checks...
    [11:18:37] Rootkits checked : 245
    [11:18:37] Possible rootkits: 0
    [11:18:37]
    [11:18:37] Applications checks...
    [11:18:37] All checks skipped
    [11:18:38]
    [11:18:38] The system checks took: 1 minute and 28 seconds
    [11:18:38]
    [11:18:38] Info: End date is Mon Oct 4 11:18:38 BST 2010


    Can somebody please tell me what the warnings mean. What should I do?

    2. Second Question.


    I know we all should use preventative care and passwords and so on (and I think I do). But is there a way to check whether someone has used a system without permission? Suppose (for example) they watched and spotted and memorised your password while you were typing it and subsequently gained access secretly. If they did no damage, how could you know? Is there a way that one could record all logins to a hidden file so that you could check if there had been any unauthorised use? Hope this is not TOO paranoid!!

    Thanks for any pointers.

    Comment


      #47
      Re: Linux viruses -- everything you need to know!

      the
      [11:18:16] Checking for hidden files and directories [ Warning ]
      [11:18:16] Warning: Hidden directory found: /etc/.java
      [11:18:16] Warning: Hidden directory found: /dev/.udev
      [11:18:16] Warning: Hidden directory found: /dev/.initramfs
      is OK just reporting hiden files in a system DIR (watch for changes)

      the
      [11:18:15] Checking if SSH root access is allowed [ Warning ]
      [11:18:15] Warning: The SSH and rkhunter configuration options should be the same:
      [11:18:15] SSH configuration option 'PermitRootLogin': yes
      [11:18:15] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
      I'm not sure about.....it dosent do that for me but I dont use SSH ...DO YOU ?
      I dont think root login is necessary for it to work and you should probably change that .......but I dont use it so am not sure.

      but you should look into it ASAP.

      the SSH system wide config is in /etc/ssh/sshd_config and the users in ~/.ssh

      VINNY

      i7 4core HT 8MB L3 2.9GHz
      16GB RAM
      Nvidia GTX 860M 4GB RAM 1152 cuda cores

      Comment


        #48
        Re: Linux viruses -- everything you need to know!

        I would say you should change PermitRootLogin to "no", change the Port to something above 20000 and add this line to the aforementioned config:

        AllowUsers username

        This limits connections to just yourself, or use

        AllowUsers username@domain.com

        to only allow your username from a specific domain.

        These three edits will effectively allow you to use ssh without any huge security holes.

        Please Read Me

        Comment


          #49
          Re: Linux viruses -- everything you need to know!

          Since root account logins are disabled in the ubuntu OS family, there is no pint to allowing ssh root logins. Therefore, you should disable it, as rkhunter suggests. I left the port where it is to maintain compatibility with other programs, but yes, it's more secure to change it as oshunluvr suggests.

          After you have done this run

          sudo rkhunter --propupd

          This adapts rkhunter to your system as it currently exists, and wipes clean any existing error messages, such as the ones you just got. After doing this, rkhunter will look for future changes only.

          Do NOT do this routinely, until you have checked out whatever problems rkhunter is reporting, as it wipes the slate clean, so to speak, and considers whatever is on your system now as "normal". So make sure there are no problems before doing this, as rkhunter will ignore them from then on.

          We only have to look at ourselves to see how intelligent life might develop into something we wouldn't want to meet. -- Stephen Hawking

          Comment


            #50
            Re: Linux viruses -- everything you need to know!

            Thank you all for your help. I made the changes oshunluvr suggested. That fixed the warning about SSH files. The other warning remained, but according to vinnywright that's OK - it was just checking files. So, can I ignore that warning? Or should I change some file permissions?

            Any suggestions about my Question 2 above?

            Comment


              #51
              Re: Linux viruses -- everything you need to know!

              The last command shows a history of recently logged in users.

              The lastlog command shows when each user last logged in (which might not help if they are using your password, as your most recent login would overwrite it).

              The w command shows who is currently logged in, and what programs they are running.

              cat /var/log/auth.log shows a history of various authorization processes, which may be useful in sniffing out users attempting to run unauthorized programs.


              Lots of interesting information in several /var/log files.

              We only have to look at ourselves to see how intelligent life might develop into something we wouldn't want to meet. -- Stephen Hawking

              Comment


                #52
                Re: Linux viruses -- everything you need to know!

                Thanks DrDPhD. The entries in that /var/log/auth.log give the necessary information!

                Comment


                  #53
                  Re: Linux viruses -- everything you need to know!

                  Originally posted by doctordruidphd
                  .....
                  Do NOT do this routinely, until you have checked out whatever problems rkhunter is reporting, as it wipes the slate clean, so to speak, and considers whatever is on your system now as "normal". So make sure there are no problems before doing this, as rkhunter will ignore them from then on.
                  ...
                  But, I WOULD do it RIGHT after a "sudo apt-get upgrade" or "dist-upgrade" so that it will clean the slate with regard to the new updates. Even then, a warning will be given for:
                  Checking for hidden files and directories [ Warning ]
                  Warning: Hidden directory found: /etc/.java
                  Warning: Hidden directory found: /dev/.udev
                  Warning: Hidden directory found: /dev/.initramfs
                  Warning: Hidden file found: /etc/.directory: ASCII text
                  Warning: Hidden file found: /usr/bin/.directory: ASCII text
                  ...
                  even though nothing is wrong with them.
                  "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                  – John F. Kennedy, February 26, 1962.

                  Comment


                    #54
                    Re: Linux viruses -- everything you need to know!

                    Originally posted by GreyGeek
                    Checking for hidden files and directories [ Warning ]
                    ...
                    even though nothing is wrong with them.
                    Correct. Linux does have hidden files and directories 'by design' and that's why rkhunter gives the warning.
                    Windows no longer obstructs my view.
                    Using Kubuntu Linux since March 23, 2007.
                    "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                    Comment


                      #55
                      Re: Linux viruses -- everything you need to know!

                      Originally posted by GreyGeek


                      But, I WOULD do it RIGHT after a "sudo apt-get upgrade" or "dist-upgrade" so that it will clean the slate with regard to the new updates.
                      right!.......... ....after a system file/program that it keeps an eye on is updated it will have a new time stamp and md5 hash so will be reported for being changed from how rkhunter thought it should be.

                      thus possibly tampered with

                      VINNY
                      i7 4core HT 8MB L3 2.9GHz
                      16GB RAM
                      Nvidia GTX 860M 4GB RAM 1152 cuda cores

                      Comment


                        #56
                        Re: Linux viruses -- everything you need to know!

                        the above posts answered my questions about these:
                        Code:
                        [20:07:46] Warning: Hidden directory found: /etc/.java
                        [20:07:46] Warning: Hidden directory found: /dev/.udev
                        [20:07:46] Warning: Hidden directory found: /dev/.initramfs
                        Are these okay?
                        Code:
                        [20:07:46] Warning: Hidden file found: /dev/.tmp-block-252:5: block special
                        [20:07:46] Warning: Hidden file found: /dev/.tmp-block-252:3: block special
                        [20:07:46] Warning: Hidden file found: /dev/.tmp-block-252:2: block special
                        [20:07:52]
                        [20:07:52] Info: Test 'apps' disabled at users request.
                        [20:07:52]
                        [20:07:52] System checks summary
                        [20:07:52] =====================
                        [20:07:52]
                        [20:07:52] File properties checks...
                        [20:07:52] Files checked: 133
                        [20:07:52] Suspect files: 0
                        [20:07:52]
                        [20:07:52] Rootkit checks...
                        [20:07:52] Rootkits checked : 242
                        [20:07:52] Possible rootkits: 0
                        [20:07:52]
                        [20:07:52] Applications checks...
                        [20:07:52] All checks skipped
                        [20:07:52]
                        [20:07:52] The system checks took: 1 minute and 8 seconds
                        [20:07:52]
                        [20:07:52] Info: End date is Mon Oct 4 20:07:52 PDT 2010
                        OS: Win7 Prof. X64, XP Prof. x86. WD 160GB X3 RAID 0<br />&nbsp; &nbsp; &nbsp; Kubuntu 10.04 Lucid X64 LTS. <br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 10.10 Maverick X64 KDE 4.6.2<br />MB: abit IP35 PRO. Q6600 OC: 3204MHz. <br />RAM: OCZ 1066MHz 8GB (4X2GB) <br />Graphics: Nvidia 9800GTX+ OC: 823/1265<br />Displays: LG 1280X1024. Asus 1680X1050

                        Comment


                          #57
                          Re: Linux viruses -- everything you need to know!

                          Originally posted by ccnjim
                          .....
                          Are these okay?
                          Code:
                          [20:07:46] Warning: Hidden file found: /dev/.tmp-block-252:5: block special
                          [20:07:46] Warning: Hidden file found: /dev/.tmp-block-252:3: block special
                          [20:07:46] Warning: Hidden file found: /dev/.tmp-block-252:2: block special
                          .....
                          This posting considers these files as "spurious" (I don't think they are) but gives good advice on configuring rkhunter to not show them:
                          http://devarthur.blogspot.com/2008/0...iguration.html

                          Normally, those files are temporary during the booting or mounting of block devices and are deleted
                          after the device is successfully booted or mounted. Do you have any lines in the kernel system log
                          that includes those listings and identifies the blkid associated with them?
                          Here is a bug report contining these lines: https://bugs.launchpad.net/ubuntu/+s...ev/+bug/377395
                          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                          – John F. Kennedy, February 26, 1962.

                          Comment


                            #58
                            Re: Linux viruses -- everything you need to know!

                            Please excuse me if this is a stupid question! But, is it possible to use rkhunter to check the Windows partition in a dual-boot system? I've read somewhere that even re-formatting contaminated Win drives leaves the MBR unchanged. I ask on behalf of someone who runs a Win7/Kubuntu dual-boot system and is anxious to make sure "all is clean". For myself I only use virtualisation to avoid any problems.

                            Comment


                              #59
                              Re: Linux viruses -- everything you need to know!

                              Originally posted by PhilT
                              Please excuse me if this is a stupid question! But, is it possible to use rkhunter to check the Windows partition in a dual-boot system? I've read somewhere that even re-formatting contaminated Win drives leaves the MBR unchanged. I ask on behalf of someone who runs a Win7/Kubuntu dual-boot system and is anxious to make sure "all is clean". For myself I only use virtualisation to avoid any problems.
                              rkhunter doesn't detect Windows viruses, it also doesn't actually scan the HD even in Linux it's not an antivirus it's an anti-rootkit, it looks for rootkits in known places. If you want to scan for viruses you should use an antivirus, and all of them should be able to scan the Windows partition if you mount it.

                              Comment


                                #60
                                Re: Linux viruses -- everything you need to know!

                                If you are looking for antivirus you can of course use clamav.

                                Also, if you are not hung up about "free" software, and are happy to try commercial software that has no cost, you can give bitdefender a go

                                http://www.bitdefender.co.uk/solutio...-homeuser.html

                                If you keep it running in the background (probably overkill) it's a bit of a resource hog, but otherwise looks a decent bet

                                http://tuxradar.com/content/bitdefen...tivirus-unices

                                Comment

                                Working...
                                X