Staying one step ahead of the intruders
One of the most popular rootkit scanners on Linux is Chkrootkit . The toolkit by Nelson Murilo and Klaus Steding-Jessen comprises a collection of small C programs specially written to detect a specific anomaly. After unpacking the archive, build the applications by typing
and then perform a trial run by typing ./chkrootkit (Figure 1). Unfortunately, the rootkit scanner calls various binary programs on the infected system. For this reason, you should always run these tools directly from a separate, clean medium such as a CD or DVD drive:
./chkrootkit -p /cdrom/bin
in order to avoid infection.
Just like Chkrootkit, Rootkit Hunter also searches the infected system for specific characteristics that indicate the existence of a rootkit. Originally written by Michael Boelen, the tool was passed on to a team of developers in 2006, and the results are visible on SourceForge . After downloading and unpacking the archive, become root and enter the following to build:
./installer.sh --layout custom . --install
Then change to the files subdirectory and modify the rkhunter.conf configuration file. The following command line starts the check
In contrast to previous, simple scanners, OSSEC  launches a whole battery of functions (Figure 2). In addition to automatically performing period rootkit detection, it offers permanent monitoring and analysis of logfiles, integrity checks, and (rules-based) intrusion detection. The Rootcheck project has rootkit signatures up for grabs on its website .
OSSEC lets you set up a client/server team: Agents monitor the operating system on the client machines. Whenever a suspicious or atypical event occurs, a message is passed on to a central monitoring server, which then performs the analysis, draws conclusions, and raises the alarm if necessary.
To install OSSEC, just unpack the archive and type:
Say yes to all the prompts and choose local as the installation type, if you do not want to set up an agent/server operation.
Next, select one of the installation routine options for rootkit detection, then modify the configuration in /var/ossec/etc/ossec.conf, and launch OSSEC HIDS by typing
The program then starts to monitor the target system.
In a default installation, the configuration file is stored in /etc/ossec-init.conf, with all other files in /var/ossec. Rootkit signatures are stored in the files rootkit_files.txt and rootkit_trojans.txt in /var/ossec/etc/shared.
Buy this article as PDF
Both projects help organizations build their own containerized systems.
Mark Shuttleworth has resumed the position of CEO of Canonical.
Microsoft's open source code hosting platform CodePlex will come to an end after a more than 10-year stint.
Comes with Gnome 3.24
The bug was introduced back in 2009 and has been lurking around all this time.
The new release deprecates the sshd_config UsePrivilegeSeparation option.
Lives on as a community project
Five new systems join Dell XPS 13 Developer Edition that come with Ubuntu pre-installed.
The Skype Linux client now has almost the same capabilities that it enjoys on other platforms.
At CeBIT 2017, OpenStack Day will offer a wide range of lectures and discussions.