Compromise detection and data integrity
By Payam Tarverdyan Chychi
The third in our series of good security practices, this
piece discusses compromise detection and data integrity to
help you identify when you've been hacked.
WHAT IS A ROOTKIT?
A rootkit is a piece of software used
by hackers that modifies certain key system files in order to
hide the hacker's true identity, and also to provide him with
an undetectable environment within the system. This is done
using many different methods, based on the advanced coding of
the rootkit. The majority of 'public' rootkits are modified
versions of binary files that your system depends on for
day-to-day tasks. The files are trojaned or backdoored into
your system and replace your old files.
For example, a simple rootkit would replace the current
'ps' binary file on your system with a modified version that
filters the output of the software. This means that when you,
the administrator, executes the 'ps' command you will not be
able to see the processes that are active under the hacker's
account. Some other files that are usually included in a
rootkit are pre-modified network mass-scanners, sniffing tools
(packet/string capture) and log modifying tools (to remove any
log entries that would show their existence as well as
evidence of their having logged in to the server).
Unauthorized users usually create a legitimate user account
on the hacked server which they later use as a backdoor in the
event that their rootkit is discovered. You need to be aware
of valid user accounts on your systems, though easier said
than done. Always investigate new user accounts with care to
ensure that they are legitimate and accounted for.
Once a server has been exploited (rootkit or no rootkit)
the data integrity of your system has been compromised. The
only true way to ensure 100% data integrity is to perform a
clean rebuild. Otherwise, you can never be completely certain
that your server is clean.
For more information about rootkits, check out
http://en.wikipedia.org/wiki/Rootkit.
What follows are some examples of compromise detection and
data integrity systems that administrators may want to
consider adding to your arsenal to help identify when and if a
rootkit has been installed in your system.
CHKROOTKIT:http://chkrootkit.org
chkrootkit
was one of the original data integrity analyzers made
available to the public. chkrootkit is a utility that uses the
system's own base tools (such as find, strings and grep, among
others) to scan the core system for known rootkit signatures.
chkrootkit has the ability to locate some of the latest
(known) rootkits including LKM (Loadable Kernel Modules) based
rootkits. chrootkit is a very basic yet versatile software
that should definitely be a part of every administrator's
toolkit.
ROOTKIT HUNTER (RKHUNTER): http://www.rootkit.nl
Rootkit
Hunter follows the same premise as chkrootkit with some
differences in the scanning methods used, as well as some
additional features to help administrators in your everyday
job of creating and maintaining a secure server environment.
Not only does rkhunter check your system for known rootkits,
but it also scans the system for any changes in /etc/passwd
and /etc/groups and checks your system for known vulnerable
software versions.
Let's say you're running a known vulnerable version of
Apache. rkhunter will show a software vulnerability output at
the end of the system scan.
For a full list of scanning techniques, please read: http://www.rootkit.nl/articles/rootkit_scanning_techniques.html.
TRIPWIRE:http://sourceforge.net/projects/tripwire
Tripwire
is a security and data integrity tool that allows you to
monitor the overall security and integrity of your server and
to alert you to the first signs of a break-in. Tripwire works
by taking a snapshot of your system files and storing them in
a secure location as read-only, so that the integrity of the
image can not be tampered with. The program is added to the
crontab which allows it to run in the background and actively
monitor your server, looking for any changes that may have
occurred. For instance, if you server is exploited and a
rootkit is installed, Tripwire will show an output of which
files were replaced and what the time of the file's creation
date/stamp and what its MD5 (Message-Digest algorithm 5)
signature should be.
AIDE: http://www.cs.tut.fi/~rammer/aide.html
and http://sourceforge.net/projects/aide
AIDE
is a security and data integrity tool used for monitoring your
servers. AIDE is based on the same concept as Tripwire but is
capable of much more, with the added bonus that it is 100%
free. AIDE is fairly simple to use and is explained on the
website mentioned above.
TIGER: http://savannah.nongnu.org/projects/tiger
Tiger
is a great piece of software and should be used by any
administrator who really needs to keep an eye on his local
file system and server security. Tiger was first developed by
the Texas A&M campus to ensure security on their publicly
accessible servers. Though the development was eventually
stopped due to the availability of other software with
similarities, it has been brought back and improvements have
been introduced by ARC (Advanced Research Computing), Hewlett
Packard and the Debian GNU/Linux community.
Tiger can be used as a real time compromise detection and
data integrity system. It scans the system for changes in
certain files. It also checks the core system for wrong
file/folder permissions, changes in /etc/passwd, /etc/group
entries, rootkit scans and much more. The result of the Tiger
scan is then saved in the
/var/log/tiger/security.report*.$DATE-$TIME so you can refer
back to your logs at a later date.
You can run Tiger by running the following commands as root
on your server:
'tiger' will run a complete scan on
your system and will report the results in .txt format. You
can have the results reported in html by adding the option -H
to the command ('tiger-H').
'tiger -help' will
display all valid options that can be used with Tiger in order
to perform a more specified scan.
Unfortunately, you can't ever be sure of your security once
your server has been exploited and a rootkit has been
installed. The information above will help you identify the
issues, but it will not prevent them. In a perfect world you
would never need to use such software. This is not a perfect
world, however.
