Re: Linux viruses -- everything you need to know!
Thanks to all the "Wise Old/Young Men/Women" who have added value to this thread, I have found it very helpful and instructive.
My box sits behind a router with another desktop and a laptop connected via DCHP (all Linux Kubuntu systems except one box (partner's) which is dual-boot with a Win 7 partition so her young son can play some favourite games when visiting).
I have two simple questions:-
1. First Question.
I installed rkhunter and ran "sudo rkhunter -c" and got a long printout showing that my box was safe, except for 2 warnings. The long log file (/var/log/rkhunter - accessed via sudo kate) showed all OK apart from the following final bit:-
.........
Performing system configuration file checks
[11:18:15] Info: Starting test name 'system_configs'
[11:18:15] Checking for SSH configuration file [ Found ]
[11:18:15] Info: Found SSH configuration file: /etc/ssh/sshd_config
[11:18:15] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[11:18:15] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[11:18:15] Checking if SSH root access is allowed [ Warning ]
[11:18:15] Warning: The SSH and rkhunter configuration options should be the same:
[11:18:15] SSH configuration option 'PermitRootLogin': yes
[11:18:15] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[11:18:15] Checking if SSH protocol v1 is allowed [ Not allowed ]
[11:18:15] Checking for running syslog daemon [ Found ]
[11:18:15] Checking for syslog configuration file [ Found ]
[11:18:15] Info: Found syslog configuration file: /etc/rsyslog.conf
[11:18:15] Checking if syslog remote logging is allowed [ Not allowed ]
[11:18:15]
[11:18:15] Performing filesystem checks
[11:18:15] Info: Starting test name 'filesystem'
[11:18:15] Info: SCAN_MODE_DEV set to 'THOROUGH'
[11:18:15] Checking /dev for suspicious file types [ None found ]
[11:18:16] Checking for hidden files and directories [ Warning ]
[11:18:16] Warning: Hidden directory found: /etc/.java
[11:18:16] Warning: Hidden directory found: /dev/.udev
[11:18:16] Warning: Hidden directory found: /dev/.initramfs
[11:18:37]
[11:18:37] Info: Test 'apps' disabled at users request.
[11:18:37]
[11:18:37] System checks summary
[11:18:37] =====================
[11:18:37]
[11:18:37] File properties checks...
[11:18:37] Files checked: 133
[11:18:37] Suspect files: 0
[11:18:37]
[11:18:37] Rootkit checks...
[11:18:37] Rootkits checked : 245
[11:18:37] Possible rootkits: 0
[11:18:37]
[11:18:37] Applications checks...
[11:18:37] All checks skipped
[11:18:38]
[11:18:38] The system checks took: 1 minute and 28 seconds
[11:18:38]
[11:18:38] Info: End date is Mon Oct 4 11:18:38 BST 2010
Can somebody please tell me what the warnings mean. What should I do?
2. Second Question.
I know we all should use preventative care and passwords and so on (and I think I do). But is there a way to check whether someone has used a system without permission? Suppose (for example) they watched and spotted and memorised your password while you were typing it and subsequently gained access secretly. If they did no damage, how could you know? Is there a way that one could record all logins to a hidden file so that you could check if there had been any unauthorised use? Hope this is not TOO paranoid!!
Thanks for any pointers.
Thanks to all the "Wise Old/Young Men/Women" who have added value to this thread, I have found it very helpful and instructive.
My box sits behind a router with another desktop and a laptop connected via DCHP (all Linux Kubuntu systems except one box (partner's) which is dual-boot with a Win 7 partition so her young son can play some favourite games when visiting).
I have two simple questions:-
1. First Question.
I installed rkhunter and ran "sudo rkhunter -c" and got a long printout showing that my box was safe, except for 2 warnings. The long log file (/var/log/rkhunter - accessed via sudo kate) showed all OK apart from the following final bit:-
.........
Performing system configuration file checks
[11:18:15] Info: Starting test name 'system_configs'
[11:18:15] Checking for SSH configuration file [ Found ]
[11:18:15] Info: Found SSH configuration file: /etc/ssh/sshd_config
[11:18:15] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[11:18:15] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[11:18:15] Checking if SSH root access is allowed [ Warning ]
[11:18:15] Warning: The SSH and rkhunter configuration options should be the same:
[11:18:15] SSH configuration option 'PermitRootLogin': yes
[11:18:15] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[11:18:15] Checking if SSH protocol v1 is allowed [ Not allowed ]
[11:18:15] Checking for running syslog daemon [ Found ]
[11:18:15] Checking for syslog configuration file [ Found ]
[11:18:15] Info: Found syslog configuration file: /etc/rsyslog.conf
[11:18:15] Checking if syslog remote logging is allowed [ Not allowed ]
[11:18:15]
[11:18:15] Performing filesystem checks
[11:18:15] Info: Starting test name 'filesystem'
[11:18:15] Info: SCAN_MODE_DEV set to 'THOROUGH'
[11:18:15] Checking /dev for suspicious file types [ None found ]
[11:18:16] Checking for hidden files and directories [ Warning ]
[11:18:16] Warning: Hidden directory found: /etc/.java
[11:18:16] Warning: Hidden directory found: /dev/.udev
[11:18:16] Warning: Hidden directory found: /dev/.initramfs
[11:18:37]
[11:18:37] Info: Test 'apps' disabled at users request.
[11:18:37]
[11:18:37] System checks summary
[11:18:37] =====================
[11:18:37]
[11:18:37] File properties checks...
[11:18:37] Files checked: 133
[11:18:37] Suspect files: 0
[11:18:37]
[11:18:37] Rootkit checks...
[11:18:37] Rootkits checked : 245
[11:18:37] Possible rootkits: 0
[11:18:37]
[11:18:37] Applications checks...
[11:18:37] All checks skipped
[11:18:38]
[11:18:38] The system checks took: 1 minute and 28 seconds
[11:18:38]
[11:18:38] Info: End date is Mon Oct 4 11:18:38 BST 2010
Can somebody please tell me what the warnings mean. What should I do?
2. Second Question.
I know we all should use preventative care and passwords and so on (and I think I do). But is there a way to check whether someone has used a system without permission? Suppose (for example) they watched and spotted and memorised your password while you were typing it and subsequently gained access secretly. If they did no damage, how could you know? Is there a way that one could record all logins to a hidden file so that you could check if there had been any unauthorised use? Hope this is not TOO paranoid!!
Thanks for any pointers.
Comment