'lo, On Sun, 20 Nov 2011 08:51:14 +0100 dollfacepers...@hushmail.com wrote: >I've been reading up on rootkits via Google, but there's so >much on detection and removal and almost nothing on how they get into >a computer, or how much of a threat they are to Linux users - are >new ones being created every year? Are they as rare as Linux viruses?
Linux viruses (and I mean by definition of a virus and not necessarily what Antivirus companies mark as such) are rarely seen in the wild. Traditional rootkit usage (as far as I can see evidence of it) has dwindled drastically. But even though softer and easier targets exist like all sorts of bad programming, misconfiguration and stale software running in the web stack, even though the 2.6 kernel doesn't export required symbols anymore and even though the diversity of Linux distributions they are still used and some high profile ones, mostly Phalanx IIRC, have popped up the past years. >Are Linux servers more targeted than home users? I think the question should be the reverse: does the machine provide a certain value? Is it economical for a cracker to abuse CPU, disk space, bandwidth or obtain credentials? If you look for instance at the compromise of one of Hans Peter Anvin's machines then that itself wasn't much of a deal (OK, apart from every compromise being one too many) but then his access to kernel.org definitely made it worth the trouble... >I know they can be >hidden in applications, but is installing them also as easy as, say, >clicking on a link or having a pop-up ad getting past your defenses, or >accidentally going to a site marked as red by WOT - and you're still >screwed even if you get out quickly? While most problems stem from a (deliberate) lapse of common sense I'd say that characterization of things stems more from having had experience with The Other OS. >On RKHunter: I scanned with rkhunter the first time after reinstalling >it, and I got a warning for rkhunter itself: > >[15:13:26] Warning: The file properties have changed: >[15:13:26] File: /usr/bin/rkhunter >[15:13:26] Current inode: 2753106 Stored inode: 2760035 Did you by any change update Rootkit Hunter or edit the file by hand? >The first time I installed it, I got different warnings >/usr/bin/mail [ Warning ] > /usr/bin/bsd-mailx [ Warning ] >which disappeared since I removed Thunderbird. ...as I said in the LQ thread: look at the log file, not the output, for details. >What is an inode? See http://en.wikipedia.org/wiki/Inode ? >I'm reading the CERT Intruder Detection list and...is there a For Dummies version of this? No, not really. Just work your way through it and then ask questions about it (it's not really a topic for this list) in the LQ Linux Security forum. Best regards, unSpawn --- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
