CrunchBang Linux

Mjothvitnir

Member

Registered: 2012-08-30

Posts: 10

Rootkit questions

Before anyone says anything, I know it is ridiculously unlikely for me to ever encounter a rootkit accidently. The reason I am asking is because I am in charge of securing linux machines in a cyber defence competition my school is competing in. I have already researched what they are, how they work and now I am trying to figure out how to remove them or make them useless in in some way without reinstalling the system. I will not have physical access to the system as I have to connect through the PuTTY remote desktop program. From what I have seen this makes removing them almost impossible.

I have heard that making certain commands like ls or netstat immutable (unchangeable) will cause some rootkits to fail. Is this still true if the rootkit is already installed?
for example: If there is an altered version of the ls command running on the system because a rootkit is installed will it work to uninstall the ls command, reinstall it and immediately make it immutable? Or will the rootkit immediately alter the command again before I get a chance?
(note this is not for kernel level rootkits. I know this wont work for them only the application level ones)

Also will a kernel level rootkit be removed if you recompile the kernel?

I'm not sure if I've been very clear on what I'm asking so if it doesn't make sense let me know and I'll try to clarify things

Any help I could get on this would be amazing since rootkits seem like they'll be my biggest headache for this competition.

tradetaxfree

#! CrunchBanger

Registered: 2011-03-05

Posts: 111

Re: Rootkit questions

To make the system more difficult to exploit build a grsecurity kernel

See my guides here for securing a system.

Make /tmp a symbolic link to /var/tmp & mount /var/tmp noexec with the following in /etc/fstab:

tmpfs /var/tmp tmpfs defaults,noatime,noexec,nodev,nosuid,mode=1777  0  0