Enterprise Unix Roundup: Sun's Free Lunch Page 2

By Michael Hall (Send Email)
Posted Jun 16, 2005

Main     In Other News     Recent Updates     Tips of the Trade

Recent Updates

  • Apple is expected to make another Tiger point release in the next few weeks, possibly bringing OS X to version 10.4.2 before the end of the month. HP is also prepping a patch. Version 111 v2 of HP-UX will be ready in July, bringing the company's virtualization technology (vPars) to its Itanium-based Integrity line.

  • Red Hat announced the release of Fedora Core 4. The noteworthy advance in this release, aside from the steady tick of incrementing version numbers on key components like the kernel and Apache, is the introduction of support for PowerPC systems ... just as Apple decides to move to Intel.

  • Linux 2.6.12 is waiting in the wings, too, with native virtualization and SELinux support.

  • Mailing list server Mailman was updated to version 2.1.6. Among the bugfixes are one critical security patch and one potential cross-site scripting vulnerability.

  • Application server Zope was updated to version 2.7.6, which addresses "many bug fixes."

Tips of the Trade

Linux and Unix rootkits require some skill and persistence to implement. An attacker must first gain access to the system, then find a way to escalate privileges to gain enough power to do mischief. This usually requires exploiting known weaknesses in programs like buffer overflows, where once the attacker has gained superuser privileges, he or she installs a rootkit. A rootkit is a secret backdoor that the attacker uses to come and go at will.

This is why long-time admins consistently nag about basics like carefully managing file and user permissions, enforcing strong passwords, implementing both inbound and outbound firewall rules, and being a good housekeeper (i.e., keep unused user accounts and groups purged from your systems).

A common tactic is to replace system binaries with Trojan horse versions, like /bin/login, which allows an attacker to enter the system at will. Other common system files to suffer the same treatment are du, for hiding disk usage, find, for controlling searches, and netstat, to cover up network activity. So, while it is difficult to compromise a Linux or Unix system, once a rootkit takes root it can be difficult to detect. Eradication is simple: Reinstalling the entire operating system is the only safe method.

No matter how stealthy an attacker is, he always leaves detectable traces. There are a number of excellent rootkit detectors, one of which is Rootkit Hunter. Rootkit Hunter checks for a number of different things, including:

  • Known rootkit files
  • Hidden files
  • Tell-tale strings
  • MD5sum comparisons
  • Wrong file permissions

Rootkit Hunter can run automatically from cron, or manually with the user approving every step of the process. It runs on almost any Linux or Unix system, and is both free of cost and Free Software, licensed under the GPL.

Carla Schroder writes the Tips of the Trade section of Enterprise Unix Roundup. She also appears on Enterprise Networking Planet and Linux Planet, covering Linux from the desktop to the server room, and is the author of the Linux Cookbook.

>> To Main
>> To Other News

Page 2 of 2

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.