Thursday, 5 April 2012

Chkrootkit — Eliminate the Enemy Within




I the past several years, open source Linux distributions have emerged as a rock solid platform for production data centres with mission-critical IT infrastructure. This growth has prompted security hackers to try exploits to “own” Linux systems; the most serious being rootkits, which are far more dangerous than viruses and Trojans. We covered the basics in the previous article in this series — please have a read for some background information.

About Chkrootkit

chkrootkit is a collection of tools to detect the presence of rootkits, and is a gift to Linux systems administrators for two specific reasons:
  1. it is a free, open source utility, and available for multiple distros,
  2. it detects almost all the latest rootkits out there, since the open source community of contributors keeps it up to date.
Over time, the Chkrootkit scan engine has also improved, making it faster, which is especially useful in performing detailed kernel checks against a number of supported kit detections.
A few great features of chkrootkit are that it detects more than 60 old and new kits, is capable of detecting network interfaces in promiscuous mode, can efficiently detect altered lastlog and wtmp files (which in turn alerts admins about intrusions), has easy command-line access with straightforward options, and has a verbose output mode to help admins automate tasks.
chkrootkit uses C and shell scripts to perform a detailed process check, and scans systems binaries to detect kit signatures. Upon detection, in most cases, it can remove rootkits too. It also has a few algorithms that can report trends of a possible rootkit, even if it is not yet officially supported. The following lists the chkrootkit internal programs and what each of them do.
chkrootkit ProgramPurpose
chkrootkitMain script to check for tampered system files
strings.cDetects and performs string replacement
ifpromisc.cChecks network interface for promiscuous mode
chklastlog.c, chkwtmp.cChecks if lastlog and wtmp entries are deleted
chkproc.c, chkdirs.cChecks for Linux kernel module-based Trojans

Installation

Installation is straightforward on most distributions distributions. You can download the most recent tarballto a temporary folder. It is recommended that you perform an MD5 check, and then decompress the tarball using the following command: tar xfvz chkrootkit.tar.gz. Change to the extracted directory, and compile it with make sense.
In fact, installation is even simpler on Debian/Ubuntu, simply run sudo apt-get install chkrootkit.

Usage

The very first step recommended after installing chkrootkit is to run ifpromisc. This checks whether network interfaces are in promiscuous mode, which should not be the case unless the system is infected with a rootkit prior to installation.
Once this check is done, the next step is to run the tool without any commandline options. Figure 1 shows how a typical Ubuntu system is scanned and checked for various supported anomalies and rootkits.


Figure 2 shows how Chkrootkit checks all kernel processes and system files, based on an internally stored checklist.



If any common OS utility (such as fingerd, as seen in Figure 2) is not detected, it reports this, so that administrative scripts can check whether a file that should normally be present has been deleted.
Though running chkrootkit without any command-line options is usually sufficient, systems administrators may want more flexibility to script it. The following table describes a few command options with examples.
OptionExplanationExample
-lLists the tests supported>chkrootkit -l
[testname]Scans for a specific testCheck Sniffer command for “ps” Trojan: >chkrootkit ps sniffer
-xExpert mode (displays each action taken on each file scanned)>chkrootkit -x | more
-qQuiet mode. Only displays if a binary is found to be “Infected”>chkrootkit -q
-rUses specified dir as root dir. Useful in scanning a suspicious machine from a healthy one. Also useful in scanning mounted volumes.Scans a volume mounted under, say “mnt1″:
>chkrootkit -r /mnt1
It is also important to understand how chkrootkit displays output. Typically, phrases such as “Not found” or “Not infected” are displayed. When a rootkit is found, or if the presence of a rootkit is suspected, the output highlights it with “INFECTED”, or “The following suspicious files or directories have been found.” Please refer to Figure 3, which shows a Python script being reported as suspicious.


These outputs can be captured to a text file log, or parsed with a grep command to remove the clutter and only concentrate on important messages. Using –q is possible, but it can suppress suspect items, which may not be a good idea.

What if a rootkit is found?

chkrootkit detects rootkits, but does not remove those. Upon finding a rootkit on a system, the first thing to do is to remove it from the network, to avoid further spread. To remove a rootkit in the cleanest way, we need to back up and rebuild the entire system — which, however may not always be possible. Another approach is to study the detected rootkit thoroughly, and perform actions to remove it based on its way of intrusion and working.
Many rootkits can be removed manually; however there are a few which need only the cleanest approach. To improve detection accuracy, it is advised to run chkrootkit from a known healthy system, against all servers in the farm.

Integrating Chkrootkit for admin tasks

System administrators are strongly advised to use chkrootkit in their daily administrative tasks. By using an appropriate command-line option, we can create a script to have verbose output, and dump it into a log file which can be further parsed to look for anomalies.
This script can be set (using a cron job) to be run on a daily schedule. Over time, the script can be tuned further to remove false alarms generated by suspicious files and report only real problems. Another cron job can be scheduled more frequently, to have chkrootkit detect if network interfaces are in promiscuous mode. This is essential because usually a rootkit attack starts by tampering with network configuration.
Further scripting can be done to create a list of servers in the farm to be scanned, and consolidate their outputs, and alert or report administrators accordingly.

Summary

Rootkits are a serious threat to modern data centres. It is essential for IT management to have a definite means to detect them and take responsive action. chkrootkit is a fast and effective scanning tool for just this purpose. Its command line options help to automate runs on a periodic basis, which is good for administrators.




Sabayon 8 Serves a Multitasking-optimised GNOME 3


When Sabayon 8 was released last month — something told me I should grab both the KDE and GNOME images. When it comes to KDE, I’m so much in my comfort zone with openSUSE, that any other implementation really ticks me off. The only other KDE implementation that really pleased me in the last couple of years was the Rosa UI layer in Mandriva 2011 — but I’m not sure if we’ll see a Mandriva 2012.
Anyway, as I write, I’ve been using Sabayon 8 GNOME version on and off for a few weeks now. You ask, why on and off? Well, I really dig the bells and whistles of GNOME 3; it’s just that when I need to get work done, I need to get back to my KDE — so I hit a reboot!
What exactly is so cool about the Sabayon implementation of GNOME 3.2 desktop environment is that they have just ended up making multitasking that much more easier compared to the vanilla GNOME Shell available in other distros. More about that later!

Grabbing, burning, checking, installing

The ISOs (both KDE and GNOME) are about 1.5 gigs each. What really pleased me was they are hybrid ISOs — and that makes burning the image to a USB as simple as running the following dd command as root (no unetbootin, no USB Creator required):
# dd if=/path/to/Sabayon_Linux_8_x86_G.iso of=/dev/sdb
…where /dev/sdb is my USB device (yours might be different).
The boot menu comes with loads of options — if fact, you can press the down arrow key to see more. I chose to get on with the default selected option. Booting off of USB took near about the same time it takes any other distro.
On the desktop you’ll notice the first GNOME Shell customisations the Sabayon team delivers. The clock has been moved to its old right-hand side position on the top panel (like we had in GNOME 2.x, instead of a centre position that we now have in GNOME 3.x). As always, Sabayon chose to go with a dark-coloured wallpaper — but then vanilla GNOME 3′s overall themeing is also black, so it goes with it. The wallpaper has the standard “open your mind” statement below the project logo dead centre on the screen. I really dig that!
There are three icons on this desktop: install Sabayon, donate, and Get Help. The latter two icons open an instance of Chromium (version 17), where Get Help takes you to the Web-based IRC window of #sabayonchannel. Gotta say this is a very intuitive addition to direct people straight to the support channel in case they are stuck somewhere. This, of course, provided the Internet is working; which in my case wasn’t, because it didn’t detect my Wi-Fi. The only option the NetworkManager suggested I should use was to plug in a wire. Who does that on a laptop?
Yes, mine is a Broadcom chip (that comes with my Samsung RV509) — but it has worked out of the box since the driver was integrated in kernel 2.6.38. So seeing it not working “out of the box” was bit of a shock. A bug?
Back to the desktop, the best thing to do is install and see where it leads me. But before that, something needs to be said about the icon placements. After logging in to the desktop, the top one — “Install to Hard Drive” — by default, is partially hidden under the top panel. However, the moment you click one anything the icons adjust and move downwards to align properly. Minor visual glitch — but should have been taken care of.
Installing it is a no-brainier, especially if you’ve ever used the Anaconda installer (courtesy, Fedora and co.). And there were no bugs to report in this area, but for one minor issue. The progress bar went from 0 to 100 very quickly — and then sat right there for what seemed like an eternity.
Anyway, while it was sitting there, I utilised the time to explore the software stack of the OS. The application dock, by default, only has icons for Evolution, Empathy, Shotwell, LibreOffice Writer, and Nautilus (in that particular order). Typically, you’d expect at least the browser to be present somewhere there — strange set of defaults I’d say.

Reboot, no wireless, reboot

This time around, the Install icon is replaced by the Entropy Store icon. Whoa, a store? Will come back to that later. First, let’s fix the Wi-Fi.
Oh my, it said the package manager is looking for updates and returned within moments to report that my system is up to date? Strange. It should have reported it wasn’t able to connect to the repository list or something similar.



Anyway… Connect the network wire, and hit the Get Help icon to launch the IRC chat. Maybe the time of the day when I had checked in everyone was asleep. Googling brought me to this thread on Sabayon Forum. Although this user was stuck with a worse kind of Broadcom wireless chip, my problem was solved by following the directives menitioned in this wiki — somehow I didn’t get there directly from Google, but via the forum post:
# echo "blacklist ssb" >> /etc/modprobe.d/blacklist.conf
# echo "blacklist b43" >> /etc/modprobe.d/blacklist.conf
# echo "blacklist brcmsmac" >> /etc/modprobe.d/blacklist.conf
# echo "blacklist bcma" >> /etc/modprobe.d/blacklist.conf
…and reboot. Wireless is back, although it takes 10 times more time to pick up an IP over DHCP compared to other distros. At least it works, eh?

Sabayon’s GNOME

Now that the Wi-Fi was in order, it was time to hit the Entropy Store. Wait, before that the system indicated I should update the system. And turns out I had like 212 updates.

Anyway, clicking the notification brought up the Entropy Store. Selected all and hit update. This is where I realised out how slow this package manager’s backend is compared to apt-geturpmiyum… heck, even zypper seems to be on steroids compared to this one. To install all those updates of probably four or five hundred megs it easily took more than a couple of hours.
This was a good time to check out what the rest of the system had for me. First, setup the Online Accounts. They should have called it Online Account (without the s) because the only option was Google — I thought Twitter was also added to the list in GNOME 3.2; nonetheless, it wasn’t there. So be it. I set up Google for Mail, Calender Contacts, Chat, and Documents. While Google mail, calender and contacts were now available from Evolution, I noticed a separate GNOME app for contacts that kept indicating how I should connect to an account. Couldn’t really figure out this puzzle.


Also, it would have been great if Empathy picked up the Google account for chat automatically. Alas, up on it’s first launch it still asked me to set up account(s). I’m still not sure where I should check the documents synchronication available in the Online Accounts application. Anyway, for all I know these actually might be GNOME issues — but as I’m not a regular user, I can’t pin-point.
Either way, I was simply picking on them — I don’t really use an email, chat or contacts client to communicate. The browser is enough for me.
Meanwhile, the absolute killer customisation that the Sabayon team has done with GNOME is what you can see in the following screenshot.






As you can see, all the currently open application windows are listed on the top panel — compared to availability of only the currently-focussed one in case of default GNOME Shell or Unity. This is indeed a nice and essential hack by the Sabayon team that eases the job of multitasking between apps that much easier. Now, you know why the clock’s been moved to the RHS position :-)

Default set of apps

Gotta say, the set of apps the distro comes with are pretty adequate. Some of the handy ones by category are as under:
  • Accessories: Brasero (disc burning app) and Gnote (the note-taking app similar to Tomboy) are in there. The Archive Manager is fully-baked by essential backend utilities/libraries like, for example, the unrarpackage, thus its ability to support most common archive formats out of the box.
  • Games: The default set of useless GNOME games that I don’t play. (I don’t really play any computers games, so don’t take the word “useless” to your heart.)
  • Graphics: Shotwell takes care of your digicam and photo management activities, while GIMP is also there for obvious reasons. The version of GIMP is 2.7.3 (development branch) compared to 2.6.x (stable branch) which is available in all other distros. This version has got some pretty neatly reworked features. The only annoying thing is, you can’t just “Save as” a picture to any other format… “Save as” only saves a file in .xcf (GIMP’s native file format). For everything else, you gotta export from now on.
  • The Internet stack has XChat and Transmission included, besides Chromium and Empathy I talked about earlier.
  • Office has the full LibreOffice suite, including Base. Although still no sign of the newer v3.5.1 — Sabayon is still stuck at 3.4.5, as of this date. Then again, this is the case with all other distros I suppose, except for Ubuntu with one of its PPAs.
  • Under the Other section there is a pretty neat (and user-friendly) firewall application called Uncomplicated Firewall. I gotta say this application lives up to its name. Besides, you have the Deja Dup backup app that’s all the rage nowadays. For some odd reason, even Adobe Flash Player is also listed here (shouldn’t it be under Sound & Video?).
  • The Sound & Video section includes Exaile (instead otherwise of the players the GNOME world is divided between — Banshee and Rhythmbox). Exaile is kind of like Amarok 1.4.x. I used to use it long time back, and was quite impressed even back then. The strange inclusion is GNOME’s default Totem Movie Player, instead of the mass-favourite VLC. The good thing is, the distro includes all the A/V codecs installed, so Totem should play everything VLC does. But of course, XBMC is available too. You can log into a XBMC-only session instead of GNOME even from GDM (can do the same from the LIVE USB before booting, too). The obvious glitch is the GDM menu lists two XBMC sessions — one labelled XBMC, and the second, Sabayon Media Center — both of which lead you to the same setup







Motorola Turning Android Into Desktop OS







Wednesday, April 04, 2012 Think Android 4.0 aka Ice Cream Sandwich can replace your desktop PC? Well, the answer much to your delight is Yes. The Motorola Droid RAZR is soon expected to get an Android 4.0 update shortly that will give it a Web top experience. When Motorola unveiled its Webtop software at the CES 2011, which allowed users to plugin their phone into a smart dock that initiated a custom Linux desktop with Firefox browser. However, when tried it proved to be pretty frustrating.


According to an online report, a leaked copy of the Android 4.0 update for the Droid RAZR reveals a new “Webtop 3.0 beta” that does away with the limited Linux desktop and provides users with a full Android 4.0 tablet UI when a device is docked to a larger display.

Android enthusiasts are now eagerly waiting for the feature to arrive on all new high-end Android phones.





Source# http://news.efytimes.com/e1/81258/Motorola-Turning-Android-Into-Desktop-OS