Rootkit signatures?

Alan Johnson alan at datdec.com
Thu Jun 25 11:23:07 EDT 2009 

On Thu, Jun 25, 2009 at 8:56 AM, Kenny Lussier <klussier at gmail.com> wrote:

> I have a mandate to install "anti-virus and anti-malware software on
> all servers". Since all of our servers are Linux, this was further
> clarified to mean "rootkit detection software". I have looked at
> several rootkit detectors, and they all appear to be fairly old. My
> guess is, it isn't really worth it, since a rootkit is going to be
> personalized and customized to the system being attacked


Actually, since the majority of hacking is done by software these days
(mostly viruses), there tends to be fairly reliable signatures of their
presence.  That said, what's to stop savvy hacking (software or humans) from
manipulating these detectors themselves?  Best to run such things from a
hardened box with one way access to the servers in question, but that might
really hammer on your network depending on the setup.  Maybe run the
scanners locally and scan the scanner binaries remotely?

By the same token, a similarly hardened syslog server is always a good
idea.  Turn on user activity logging (any command by any user gets sent to a
syslog), then they can cover their tracks all they want on the local
machine, but some acitvity is going to be logged remotely before they can
turn it off.  Think about getting notified for certain acitvity depending on
usage of the machine.  If it has limited or no end user shell access, then
get paged if any account does anything.  Maybe just emailed when commands
are executed with root privilidges.  If that is too pesky, maybe if several
root command come in quickly: quicker than a human might type.  You have to
figure out what works for you.

Also, you might consider a whole host of intrusion dectction and diagnostic
tools that come with the BackTrack linux distro (
http://www.remote-exploit.org/backtrack_download.html).  The lastest version
is still in beta, but here are some hacker instructions for installing it on
a box rather than booting off a live CD (live CD is their default MO):
http://alan.datdec.com/temp/bt4install.pdf

That PDF might be out of date now.  I have not tried it and since it was
given to me and BackTrack has gone from beta to pre-release.  I'm not sure
what the plan is to support installation though.

Can you tell my company just had a prodution system security audit?  =)

-- 
Alan Johnson
alan at datdec.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20090625/9715acdf/attachment-0001.html

More information about the gnhlug-discuss mailing list