Rootkit Problem on FLEX

A rootkit is a malicious software designed to obtain root-level access to a computer while hiding its presence or identity from antivirus software. Common ways for rootkits to get installed on your system are through trojan horses contained in drive-by downloads, known system vulnerabilities, suspicious email attachments, web surfing, or simply by password cracking.

On Linux, there are several rootkit scanner tools that help project against known or potential rootkits. One such rootkit detection tool is called Rootkit Hunter (rkhunter).

Protecting FLEX by rkhunter

Installation

Install rkhunter on Ubuntu:

$ sudo apt-get install rkhunter

Perform Rootkit Scanning

To perform rootkit scanning on FLEX, simply run the following.

$ sudo rkhunter -c

Once rkhunter is initiated, it will go ahead and run a series of tests as follows.

Log files

Once scanning is completed, rkhunter stores the result in /var/log/rkhunter.log. We can check for any warning and results something like this:

System checks summary
===================== 

Rootkit checks...
   Rootkits checked : 310
   Possible rootkits: 2
   Rootkit names    : SHV4 Rootkit, SHV5 Rootkit

Applications checks...
   All checks skipped

The system checks took: 1 minute and 54 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Database update

Rootkit Hunter relies on a set of database files to detect rootkits. If we would like to check if the database files are up-to-date, simply run rkhunter with "--update" option. If there is a newer version of the database files, it will automatically fetch up-to-date database files using wget.

$ sudo rkhunter --update 

[ Rootkit Hunter version 1.4.0 ]
 
Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

FLEX Firewall

We also set up firewall for FLEX to protect it from any outsider's attacks. The software to perform firewall management in Ubuntu is UFW.

$ sudo ufw enable

By defaults, we deny all incoming connections and allow all outgoing connections.

$ sufo ufw default deny incoming
$ sudo ufw default allow outgoing

And then, we open some specific standard ports used for communications:

$ sudo ufw allow ssh
$ sudo ufw allow ftp
and so on.

We found recently that some ports still can be explored by outsiders. We therefore add the following rules:

$ sudo ufw deny out 3724
$ sudo ufw deny 40000:60000/tcp
$ sudo ufw deny 40000:60000/udp

To check the firewall status, use the following command:

$ sudo ufw status verbose

Front page   Edit Freeze Diff Backup Attach Copy Rename Reload   New List of pages Search Recent changes   Help   RSS of recent changes
Last-modified: 2015-01-07 (Wed) 16:06:15