Re: Linux viruses -- everything you need to know!

Thanks to all the "Wise Old/Young Men/Women" who have added value to this thread, I have found it very helpful and instructive.

My box sits behind a router with another desktop and a laptop connected via DCHP (all Linux Kubuntu systems except one box (partner's) which is dual-boot with a Win 7 partition so her young son can play some favourite games when visiting).

I have two simple questions:-

1. First Question.
I installed rkhunter and ran "sudo rkhunter -c" and got a long printout showing that my box was safe, except for 2 warnings. The long log file (/var/log/rkhunter - accessed via sudo kate) showed all OK apart from the following final bit:-

.........

Performing system configuration file checks
[11:18:15] Info: Starting test name 'system_configs'
[11:18:15] Checking for SSH configuration file [ Found ]
[11:18:15] Info: Found SSH configuration file: /etc/ssh/sshd_config
[11:18:15] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[11:18:15] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[11:18:15] Checking if SSH root access is allowed [ Warning ]
[11:18:15] Warning: The SSH and rkhunter configuration options should be the same:
[11:18:15] SSH configuration option 'PermitRootLogin': yes
[11:18:15] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[11:18:15] Checking if SSH protocol v1 is allowed [ Not allowed ]
[11:18:15] Checking for running syslog daemon [ Found ]
[11:18:15] Checking for syslog configuration file [ Found ]
[11:18:15] Info: Found syslog configuration file: /etc/rsyslog.conf
[11:18:15] Checking if syslog remote logging is allowed [ Not allowed ]
[11:18:15]
[11:18:15] Performing filesystem checks
[11:18:15] Info: Starting test name 'filesystem'
[11:18:15] Info: SCAN_MODE_DEV set to 'THOROUGH'
[11:18:15] Checking /dev for suspicious file types [ None found ]
[11:18:16] Checking for hidden files and directories [ Warning ]
[11:18:16] Warning: Hidden directory found: /etc/.java
[11:18:16] Warning: Hidden directory found: /dev/.udev
[11:18:16] Warning: Hidden directory found: /dev/.initramfs
[11:18:37]
[11:18:37] Info: Test 'apps' disabled at users request.
[11:18:37]
[11:18:37] System checks summary
[11:18:37] =====================
[11:18:37]
[11:18:37] File properties checks...
[11:18:37] Files checked: 133
[11:18:37] Suspect files: 0
[11:18:37]
[11:18:37] Rootkit checks...
[11:18:37] Rootkits checked : 245
[11:18:37] Possible rootkits: 0
[11:18:37]
[11:18:37] Applications checks...
[11:18:37] All checks skipped
[11:18:38]
[11:18:38] The system checks took: 1 minute and 28 seconds
[11:18:38]
[11:18:38] Info: End date is Mon Oct 4 11:18:38 BST 2010


Can somebody please tell me what the warnings mean. What should I do?

2. Second Question.

I know we all should use preventative care and passwords and so on (and I think I do). But is there a way to check whether someone has used a system without permission? Suppose (for example) they watched and spotted and memorised your password while you were typing it and subsequently gained access secretly. If they did no damage, how could you know? Is there a way that one could record all logins to a hidden file so that you could check if there had been any unauthorised use? Hope this is not TOO paranoid!!

Thanks for any pointers.

Re: Linux viruses -- everything you need to know!

the is OK just reporting hiden files in a system DIR (watch for changes)

the I'm not sure about.....it dosent do that for me but I dont use SSH ...DO YOU ?
I dont think root login is necessary for it to work and you should probably change that .......but I dont use it so am not sure.

but you should look into it ASAP.

the SSH system wide config is in /etc/ssh/sshd_config and the users in ~/.ssh

VINNY

Re: Linux viruses -- everything you need to know!

I would say you should change PermitRootLogin to "no", change the Port to something above 20000 and add this line to the aforementioned config:

AllowUsers username

This limits connections to just yourself, or use

AllowUsers username@domain.com

to only allow your username from a specific domain.

These three edits will effectively allow you to use ssh without any huge security holes.

Re: Linux viruses -- everything you need to know!

Since root account logins are disabled in the ubuntu OS family, there is no pint to allowing ssh root logins. Therefore, you should disable it, as rkhunter suggests. I left the port where it is to maintain compatibility with other programs, but yes, it's more secure to change it as oshunluvr suggests.

After you have done this run

sudo rkhunter --propupd

This adapts rkhunter to your system as it currently exists, and wipes clean any existing error messages, such as the ones you just got. After doing this, rkhunter will look for future changes only.

Do NOT do this routinely, until you have checked out whatever problems rkhunter is reporting, as it wipes the slate clean, so to speak, and considers whatever is on your system now as "normal". So make sure there are no problems before doing this, as rkhunter will ignore them from then on.

Re: Linux viruses -- everything you need to know!

Thank you all for your help. I made the changes oshunluvr suggested. That fixed the warning about SSH files. The other warning remained, but according to vinnywright that's OK - it was just checking files. So, can I ignore that warning? Or should I change some file permissions?

Any suggestions about my Question 2 above?

Re: Linux viruses -- everything you need to know!

The last command shows a history of recently logged in users.

The lastlog command shows when each user last logged in (which might not help if they are using your password, as your most recent login would overwrite it).

The w command shows who is currently logged in, and what programs they are running.

cat /var/log/auth.log shows a history of various authorization processes, which may be useful in sniffing out users attempting to run unauthorized programs.


Lots of interesting information in several /var/log files.

Re: Linux viruses -- everything you need to know!

Thanks DrDPhD. The entries in that /var/log/auth.log give the necessary information!

Re: Linux viruses -- everything you need to know!

But, I WOULD do it RIGHT after a "sudo apt-get upgrade" or "dist-upgrade" so that it will clean the slate with regard to the new updates. Even then, a warning will be given for:
even though nothing is wrong with them.

Re: Linux viruses -- everything you need to know!

Correct. Linux does have hidden files and directories 'by design' and that's why rkhunter gives the warning.

Re: Linux viruses -- everything you need to know!

right!.......... ....after a system file/program that it keeps an eye on is updated it will have a new time stamp and md5 hash so will be reported for being changed from how rkhunter thought it should be.

thus possibly tampered with

VINNY

Re: Linux viruses -- everything you need to know!

the above posts answered my questions about these:
Are these okay?

Re: Linux viruses -- everything you need to know!

This posting considers these files as "spurious" (I don't think they are) but gives good advice on configuring rkhunter to not show them:
http://devarthur.blogspot.com/2008/0...iguration.html

Normally, those files are temporary during the booting or mounting of block devices and are deleted
after the device is successfully booted or mounted. Do you have any lines in the kernel system log
that includes those listings and identifies the blkid associated with them?
Here is a bug report contining these lines: https://bugs.launchpad.net/ubuntu/+s...ev/+bug/377395

Re: Linux viruses -- everything you need to know!

Please excuse me if this is a stupid question! But, is it possible to use rkhunter to check the Windows partition in a dual-boot system? I've read somewhere that even re-formatting contaminated Win drives leaves the MBR unchanged. I ask on behalf of someone who runs a Win7/Kubuntu dual-boot system and is anxious to make sure "all is clean". For myself I only use virtualisation to avoid any problems.

Re: Linux viruses -- everything you need to know!

rkhunter doesn't detect Windows viruses, it also doesn't actually scan the HD even in Linux it's not an antivirus it's an anti-rootkit, it looks for rootkits in known places. If you want to scan for viruses you should use an antivirus, and all of them should be able to scan the Windows partition if you mount it.

Re: Linux viruses -- everything you need to know!

If you are looking for antivirus you can of course use clamav.

Also, if you are not hung up about "free" software, and are happy to try commercial software that has no cost, you can give bitdefender a go

http://www.bitdefender.co.uk/solutio...-homeuser.html

If you keep it running in the background (probably overkill) it's a bit of a resource hog, but otherwise looks a decent bet

http://tuxradar.com/content/bitdefen...tivirus-unices