[NTLUG:Discuss] Rootkit or SELinux

Robert Thompson ntlug at thorshammer.org
Thu Dec 15 19:28:15 CST 2005 

There can be many reasons for root to get denied and a rootkit is the
last on my list. Are you logging in via ssh? If so the configs could
disallow root logins (check sshd_config for PermitRootLogin). You can
check /etc/securetty to make sure your terminal has access to login as
root. Do you have sudo setup? You can sudo /bin/su - and only use your
sudo password instead of the root one. You can also boot up off of a
boot disk or CD distro (like Knoppix) to reset your root password.

The reason I don't suspect a root kit is that the only major ways one
can get on your box are: you ran a trojaned application or your box is
not NAT'ed or firewalled from the internet. Other than those two,
chances are slim that you are infected. I also can't believe that
someone would write a rootkit that locks root out. Though I can't speak
for the intelligence of someone I don't know, a hacker would have to be
really boneheaded to do that.

If you want peace of mind, you can check out chkrootkit. You can boot
off of a CD distro, mount the infected drive, and scan it with a safe
copy of chkrootkit. This way nothing on the infected harddrive has a
chance to sabotage your check.

Robert Thompson


On Thu, 2005-12-15 at 09:11 -0600, lonny.dahl at verizon.com wrote:
> Over the weekend, I had a massive brain fart and forgot my login password
> for my Fedora Core 3 box.  When I attempted to log in as root, I got a
> message that root logins are not allowed.  Now, I had updated the machine
> and an SELinux update was one I downloaded.  Is it possible the update
> enabled SELinux?  If so, how do I go about disabling it again? I had it
> disabled (was one of the questions I answered on install).  Or is it more
> likely my machine has a rootkit?  I usually leave the machine off and only
> turn it on when I need to use it, so if it has a rootkit, what do you
> recommend to check for it?  I'm not keen on leaving it on for any length of
> time until I know it's safe to do so.
> 
> Thanks guys,
> 
> Wayne Dahl
> 
> 
> 
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list