Trojans and Trojan-scanner

Moe Trin wrote:

> In article <4183b37b$0$65124$c5fe704e@news6.xs4all.nl>, erik wrote:
>
>>Bzzzzzzzzzt. Wrong answer. Trojans _are_ a big topic on linux. Have a
>>look at chkrootkit and why it is so popular.
>
> Oh, that's simple. The windoze wankers who discovered how l33t it is
> to run a *nix are used to having a program to run to see how badly
> they are infected. chkrootkit was written to fill that need. That the
> dumb fucks could have avoided the problem in Linux, just as easily as
> they could have avoided being infected in windoze is an education
> problem.

You do not seem to know the existence of 0day exploits. They exist for
windows, solaris, linux, OpenBSD, FreeBSD, NetBSD, and any other OS out
there.

> They don't want to learn, and actively resist clue. chkrootkit has
> the same drawback that all of the windoze virus/trojan/spyware hunter
> programs have - if the bad guy does even one thing differently, then
> the hunter program doesn't find it - or it misidentifies things, and
> the luser doesn't know what to do. But he doesn't worry, because he
> has a r00tkit detector and like two crossed sticks, that will keep the
> vampires away.
>
>>Last time I heard somebody say that there environment was safe I found
>>that all 70 servers were severely infected...
>
> Windoze wanker admins trained (conditioned) by microsoft

Hmmm, those servers were linux and solaris servers... and they were
maintained by supposedly competent admins. However, I think differently
about the level of competence...

>
>>Bzzzzzzzt, wrong answer again. Run an updated version of chkrootkit
>>regurarly. iptables will NOT stop trojans or infections on normally
>>opened ports. Have a look at snort-inline to stop malicious traffic at
>>your gateway. Keep the Net safe please...
>
> Two crossed sticks _supplemented_ by a wreath of braided garlic bulbs.
> Maybe also a bucket of blessed water (hey, it worked on the Wicked
> Witch of the West, didn't it?) Yeah, that ought to do it.
>

Don't get the idea that you're safe _just_ because you run linux.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

In article <41863089$0$48933$c5fe704e@news6.xs4all.nl>, erik wrote:
>You do not seem to know the existence of 0day exploits. They exist for
>windows, solaris, linux, OpenBSD, FreeBSD, NetBSD, and any other OS out
>there.

I'm quite aware of them. Exactly how does your l33t tool of honor "
chkrootkit" keep up with 0day exploits. Oh, it can't. Big surprise.
People actually have to _think_ a bit. Have you ever bothered to _READ_
the scripts that chkrootkit is using to see how it works? You might be
horrified. 'grep' doesn't use fuzzy relationships.

>>> all 70 servers were severely infected...

>> Windoze wanker admins trained (conditioned) by microsoft

>Hmmm, those servers were linux and solaris servers... and they were
>maintained by supposedly competent admins. However, I think differently
>about the level of competence...

To paraphrase something a someone else once posted: "being a [UNIX
administrator] is not an entry level skill, but it can easily be an exit
level skill."

>Don't get the idea that you're safe _just_ because you run linux.

Of course not - I, and my users, are not windoze wankers with the intelligence
level of a wet rock. We don't depend on "magic spells" and 'chants' to try to
keep from being infected to badly. Programs like chkrootkit are not a
substitute for actually using the brain and learning the system you are
trying to use. You _do_ try to do that, don't you?

Old guy

> Trojans are not really a big topic at Linux, are they?
> How often do some pop up throughout a month?
> Are there any dedicated Trojan-scanners oder Trojan-scanning features
> within other security related software yet? (I googled for it, but found
> none)

I don't know if trojan is the word. There ARE lots of "root kits" that are
installed on compromised Linux hosts. Modern distributions are safer, but
in 2001 or 2002 if you installed a default Linux distribution, unpatched,
and connected it to the internet it would probably be hacked within a month
or so. A root kit is almost always installed, which replaces the tools the
admin uses and * hides * the infection. e.g. the ls command will hide files
used by the rootkit. This is much more advanced that the Windows nasties,
which can usually be easily detected.

Most rooted Linux servers don't have any idea that something is awry. It is
VERY difficult to tell that your *nix host is compromised, while you are
using the (potentially infected) system itself to check.

Ideally, what you should do is periodically take the root volume off line
and boot a guaranteed clean Linux system. Mount the root volume to examine,
and then run chkrootkit on it as well as a real virus scanner, such as
McAfee ViruScan for UNIX with all heuristics enabled. Additionally I like
to compare the md5sum values for all critical files against known values.
This helps reassure me that the system has not been tampered with by an
intruder.

--
Jem Berkes
http://www.sysdesign.ca/

> A long time ago I 'found' that about 30% of co-located boxes (running
> linux) were cracked. That is too much to be funny. Braindead admins?
> Probably. Have a look around at ISP's. You'll be amazed how many of
> their boxes turn out to be cracked. My ISP is one of the few I know
> that permits its customer to crack them (under condition that you will
> not destroy anything and so on), and actually give a reward if you tell
> them how you did it.

Yes, xs4all.nl sounds like an incredible ISP. My customers have been
singing its praises for years. Considering all the clueless broadband ISPs
I have seen here in North America, it really makes me curious about what
life is like in nl :)

And I'll agree with you, many colocated servers and professionally hosted
servers are cracked. I have discovered hacked enterprise servers, important
databases, e-commerce sites (including those that store sensitive financial
data). This happens a lot and the company who is a victim won't let out a
peep.

Servers get hacked whether they're running Windows, Linux, FreeBSD,
OpenBSD, Solaris, whatever. I have seen all of these.

--
Jem Berkes
http://www.sysdesign.ca/

Moe Trin wrote:

> In article <41863089$0$48933$c5fe704e@news6.xs4all.nl>, erik wrote:
>>You do not seem to know the existence of 0day exploits. They exist for
>>windows, solaris, linux, OpenBSD, FreeBSD, NetBSD, and any other OS
>>out there.
>
> I'm quite aware of them. Exactly how does your l33t tool of honor "
> chkrootkit" keep up with 0day exploits. Oh, it can't. Big surprise.
> People actually have to _think_ a bit. Have you ever bothered to
> _READ_ the scripts that chkrootkit is using to see how it works? You
> might be
> horrified. 'grep' doesn't use fuzzy relationships.
>

As a user of tkt, autopsy and the likes I think I understand a little
bit more than required.

>>>> all 70 servers were severely infected...
>
>>> Windoze wanker admins trained (conditioned) by microsoft
>
>>Hmmm, those servers were linux and solaris servers... and they were
>>maintained by supposedly competent admins. However, I think
>>differently about the level of competence...
>
> To paraphrase something a someone else once posted: "being a [UNIX
> administrator] is not an entry level skill, but it can easily be an
> exit level skill."
>

It was their exit level indeed.

>>Don't get the idea that you're safe _just_ because you run linux.
>
> Of course not - I, and my users, are not windoze wankers with the
> intelligence level of a wet rock. We don't depend on "magic spells"
> and 'chants' to try to keep from being infected to badly. Programs
> like chkrootkit are not a substitute for actually using the brain and
> learning the system you are trying to use. You _do_ try to do that,
> don't you?

What do you think? Using OpenBSD and not being able to think? _That_ is
a rare combination.

Read back in the thread. The question of OP was if there were any
trojans for linux. The mere existence of chkrootkit is proof enough
that that is the indeed the case. I am not discussing the virtues of
chkrootkit. I've said nothing more, nothing less.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

Jem Berkes wrote:

>> A long time ago I 'found' that about 30% of co-located boxes (running
>> linux) were cracked. That is too much to be funny. Braindead admins?
>> Probably. Have a look around at ISP's. You'll be amazed how many of
>> their boxes turn out to be cracked. My ISP is one of the few I know
>> that permits its customer to crack them (under condition that you
>> will not destroy anything and so on), and actually give a reward if
>> you tell them how you did it.
>
> Yes, xs4all.nl sounds like an incredible ISP. My customers have been
> singing its praises for years. Considering all the clueless broadband
> ISPs I have seen here in North America, it really makes me curious
> about what life is like in nl :)

Don't worry, the rest of the ISP's in NL more than compensate. :(

>
> And I'll agree with you, many colocated servers and professionally
> hosted servers are cracked. I have discovered hacked enterprise
> servers, important databases, e-commerce sites (including those that
> store sensitive financial data). This happens a lot and the company
> who is a victim won't let out a peep.

I know. I make a living out of it.

>
> Servers get hacked whether they're running Windows, Linux, FreeBSD,
> OpenBSD, Solaris, whatever. I have seen all of these.
>

Again agreed.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

On 2004-11-02, Moe Trin <ibuprofin@painkiller.example.tld> wrote:

> I'm quite aware of them. Exactly how does your l33t tool of honor "
> chkrootkit" keep up with 0day exploits. Oh, it can't. Big surprise.
> People actually have to _think_ a bit. Have you ever bothered to _READ_
> the scripts that chkrootkit is using to see how it works? You might be
> horrified. 'grep' doesn't use fuzzy relationships.

Try using UPX and compressing one of the files that chkrootkit checks.
(like lsof). Run chkrootkit. Now un-compress it again. Run
chkrootkit again... ;)

--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++