Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Security

tools for detecting linux kernel rootkits? tools to prevent its injection?

  

 
Gentoo security RSS feed   Index | Next | Previous | View Threaded


miguel.filipe at gmail

Feb 4, 2005, 11:21 AM

Post #1 of 6 (798 views)
Permalink
tools for detecting linux kernel rootkits? tools to prevent its injection?
Hi there,

what tools are there do detect linux kernel rootkits?
I only know rkhunter..

Are there tools to prevent its injection, besides removing modules
funcionality from kernel and denying writes to /dev/kmem and
/dev/kcore?

TIA

--
Miguel Sousa Filipe

--
gentoo-security [at] gentoo mailing list


peek at datenreisende

Feb 4, 2005, 11:30 AM

Post #2 of 6 (760 views)
Permalink
Re: tools for detecting linux kernel rootkits? tools to prevent its injection? [In reply to]
Miguel Filipe wrote:
> Hi there,
>
> what tools are there do detect linux kernel rootkits?
> I only know rkhunter..
>
> Are there tools to prevent its injection, besides removing modules
> funcionality from kernel and denying writes to /dev/kmem and
> /dev/kcore?
>
> TIA
>

Hi,

another one is chkrootkit. I use rkhunter and chkrootkit, think/hope
thats enough ;)

bye, peek

--
gentoo-security [at] gentoo mailing list


miguel.filipe at gmail

Feb 4, 2005, 12:59 PM

Post #3 of 6 (762 views)
Permalink
tools for detecting linux kernel rootkits? tools to prevent its injection? [In reply to]
I've now tried both rkhunter and chkrootkit on a known to be infected system.
It seems that a linux kernel rootkit isn't detected by any of those tools.

Are there any IDSs or tools that perform routine checks on system call
table addresses, and other funcion pointer addresses for changes..?

Looking for _known_ rootkits isn't good enough sometimes...

TIA

--
Miguel Sousa Filipe


--
Miguel Sousa Filipe

--
gentoo-security [at] gentoo mailing list


lists at soylent

Feb 4, 2005, 1:22 PM

Post #4 of 6 (763 views)
Permalink
Re: tools for detecting linux kernel rootkits? tools to prevent its injection? [In reply to]
On Fri, Feb 04, 2005 at 07:59:34PM +0000, Miguel Filipe wrote:
> I've now tried both rkhunter and chkrootkit on a known to be infected system.
> It seems that a linux kernel rootkit isn't detected by any of those tools.
>
> Are there any IDSs or tools that perform routine checks on system call
> table addresses, and other funcion pointer addresses for changes..?
>
> Looking for _known_ rootkits isn't good enough sometimes...
>
> TIA
>
> --
> Miguel Sousa Filipe
>

Haven't tried this aspect of it myself, but Samhain can be configured to
check for rootkits, including syscall modifications.

http://la-samhna.de/samhain/manual/kerneldef.html


--
gentoo-security [at] gentoo mailing list


pjlv at mega

Feb 4, 2005, 2:44 PM

Post #5 of 6 (764 views)
Permalink
Re: tools for detecting linux kernel rootkits? tools to prevent its injection? [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Miguel Filipe wrote:
| I've now tried both rkhunter and chkrootkit on a known to be infected system.
| It seems that a linux kernel rootkit isn't detected by any of those tools.

I think the reason why some rootkits may not be detected is because rootkit
checking tools rely on fingerprint databases that have to be constantly updated.

If you change some rootkit a bit just enough to change it's fingerprint or if
you "use" a different rootkit, not present in the database, than those tools
won't detect it.

Of course, rootkits that re-route/change system calls or do noisy undisguised
changes can generally be detected.

regards,
pedro venda.
- --

Pedro Joćo Lopes Venda
email: pjlv [at] mega
http://arrakis.dhis.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCA+yleRy7HWZxjWERAhOZAKD3euRmD5YuPcsxlX9f1fg/M+fu0QCg9Bp5
7gyXRm2XHSif0SSpJ+jXf2c=
=sYvX
-----END PGP SIGNATURE-----

--
gentoo-security [at] gentoo mailing list


miguel.filipe at gmail

Feb 4, 2005, 3:34 PM

Post #6 of 6 (768 views)
Permalink
Re: tools for detecting linux kernel rootkits? tools to prevent its injection? [In reply to]
Thanks for the info,
samhain is just what I want.

Samhain should have more publicity, it looks that its "the thing"!


On Fri, 4 Feb 2005 20:22:24 +0000, Barry Dunn <lists [at] soylent> wrote:
> On Fri, Feb 04, 2005 at 07:59:34PM +0000, Miguel Filipe wrote:
> > I've now tried both rkhunter and chkrootkit on a known to be infected system.
> > It seems that a linux kernel rootkit isn't detected by any of those tools.
> >
> > Are there any IDSs or tools that perform routine checks on system call
> > table addresses, and other funcion pointer addresses for changes..?
> >
> > Looking for _known_ rootkits isn't good enough sometimes...
> >
> > TIA
> >
> > --
> > Miguel Sousa Filipe
> >
>
> Haven't tried this aspect of it myself, but Samhain can be configured to
> check for rootkits, including syscall modifications.
>
> http://la-samhna.de/samhain/manual/kerneldef.html
>
>
> --
> gentoo-security [at] gentoo mailing list
>
>


--
Miguel Sousa Filipe

--
gentoo-security [at] gentoo mailing list

Gentoo security RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.