 |
Breaking
eBusiness and Search News |
|
 |
Root Kit Hunter
I had a strange problem with one of my own RedHat machines the other day. Very simply, I couldn't su to root, and I couldn't even login at the console as root.
I hadn't forgotten the password, but the system just wouldn't let me in.
As it happened, I didn't have time to deal with the problem right that moment (obviously I didn't urgently need root access right then) so I didn't get back to this till the next day. To my surprise, I was now able to login or su as I wished.
My immediate thought was "rooted!". But after a moments reflection I wondered "how?" I'm behind a firewall. I don't allow inbound traffic to ssh, telnet or anything else.
I watch the blinking lights on the lan when machines are supposed to be quiet, and I disconnect the cable modem when I'm done for the day. I really doubted that this machine had been rooted.. but what the heck, might as well check.
RKHunter is a shell script hat runs on just about any Unixy OS from AIX to Solaris and even Mac OS X. That wide range of OS checking makes this a very useful tool to have on your machines.
But it turned up no problems. And indeed, I couldn't see any indication of even an attempted breech. I left the modem connected after hours and watched the lights on the lan for any activity; all was quiet.
I downloaded other root kit checkers; they all said the system was clean. So what was going on?
Well, it was my own doing. I completely forgot that I had protected this system with pam_tally in addition to other things.
I had mistyped my password twice and locked myself out. I reset that every hour during working hours, so it had cleared itself quickly, which is why I could log in the next day.
Still, it was a good thing. I had been lax and had not checked any of my systems for rootkits in quite a while. That's probably not a good idea.
For example, RKHunter showed me that I had "PermitRootLogin yes" in one of my boxes sshd_config. That had been intended as a momentary convenience, but I had forgotten to take it out.
SShd wasn't actually running on that box, so it really didn't matter, but I could have easily turned it on without checking the configuration. RkHunter looks for things like that and more.
Add to | DiggThis | Yahoo! My Web
Receive
Our Daily Email of Breaking eBusiness News
About the Author:
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com
 WebProNews RSS Feed
More Expert Articles Articles
Contact WebProNews |
|
|
 eBUSINESS
RESOURCES |
|
|
 |
|
| About
WebProNews |
WebProNews is the number
one source for eBusiness News. Over 5 million eBusiness professionals read
WebProNews and other iEntry business and tech publications.
WebProNews provides real-time coverage of internet
business.
Free Email Newsletters:
|
|
|
|
A.P. Lawrence
