Mystery infestation strikes Linux/Apache Web sites
andy baxter
andy at earthsong.free-online.co.uk
Tue Jan 29 00:27:03 UTC 2008
Gabriel Dragffy wrote:
> Miano, Steven M. wrote:
>
>> http://www.linux.com/feature/125548
>>
>>
>>
>> Has anyone else checked to see if their system is infected with this
>> rootkit as of yet?
>>
>>
>>
>> I am unfortunately monitoring my network traffic, and fortunately not
>> seeing anything at the moment.
>>
>
> I read about this on the register. Seems so bad, especially because they
> security specialist don't know exactly how machines are affected. I'm on
> the lookout for some rootkit detection software, any recommendations?
>
> Gabe
>
It's not exactly what you've asked for, but it would be worth looking at
aide. This checksums all the files on your hard disk (or all the ones
you want it to), and tells you if any of them have changed. I use this
on my home server, and so far it seems to have worked OK. (I haven't had
any break-ins so far as far as I know, but aide seems to do pretty much
what it says).
The important point with aide is to put the config file, aide binary,
and any other files you need to run it on removable read only media. I
use a floppy disk, but you could burn them to a CD-R instead. USB sticks
are no good unless they have a write protect switch (unusual nowadays).
The only problem I've found with it is it makes running a server a bit
more awkward, as you have to run the check before every security update,
then check through again and rebuild the database when the update has
finished.
More information about the ubuntu-users
mailing list