[NTLUG:Discuss] Rootkit or SELinux

[Wayne Dahl]

On Thu, 2005-12-15 at 19:28 -0600, Robert Thompson wrote:
> There can be many reasons for root to get denied and a rootkit is the
> last on my list. Are you logging in via ssh? If so the configs could
> disallow root logins (check sshd_config for PermitRootLogin). You can
> check /etc/securetty to make sure your terminal has access to login as
> root. Do you have sudo setup? You can sudo /bin/su - and only use your
> sudo password instead of the root one. You can also boot up off of a
> boot disk or CD distro (like Knoppix) to reset your root password.

This is a local login.  I don't ssh to this box.

> The reason I don't suspect a root kit is that the only major ways one
> can get on your box are: you ran a trojaned application or your box is
> not NAT'ed or firewalled from the internet. Other than those two,
> chances are slim that you are infected. I also can't believe that
> someone would write a rootkit that locks root out. Though I can't speak
> for the intelligence of someone I don't know, a hacker would have to be
> really boneheaded to do that.

It resides behind a Smoothwall 2.0 firewall with all updates.  I assumed
it would have to be an installed application, possibly from an update I
did using Redhat Update.

> If you want peace of mind, you can check out chkrootkit. You can boot
> off of a CD distro, mount the infected drive, and scan it with a safe
> copy of chkrootkit. This way nothing on the infected harddrive has a
> chance to sabotage your check.
Thanks.  I have an old RH 9.0 box I rarely turn on any more...I'll download/burn
chkrootkit on it and then check this machine.

Thanks again.

-- 
Wayne Dahl
Registered Linux User # 347549
No electrons were abused in any way by any Micro$oft 
product in the composition of this e-mail.