Root Kit Hunter

    May 19, 2006

I had a strange problem with one of my own RedHat machines the other day. Very simply, I couldn’t su to root, and I couldn’t even login at the console as root.

I hadn’t forgotten the password, but the system just wouldn’t let me in.

As it happened, I didn’t have time to deal with the problem right that moment (obviously I didn’t urgently need root access right then) so I didn’t get back to this till the next day. To my surprise, I was now able to login or su as I wished.

My immediate thought was “rooted!”. But after a moments reflection I wondered “how?” I’m behind a firewall. I don’t allow inbound traffic to ssh, telnet or anything else.

I watch the blinking lights on the lan when machines are supposed to be quiet, and I disconnect the cable modem when I’m done for the day. I really doubted that this machine had been rooted.. but what the heck, might as well check.

RKHunter is a shell script hat runs on just about any Unixy OS from AIX to Solaris and even Mac OS X. That wide range of OS checking makes this a very useful tool to have on your machines.

But it turned up no problems. And indeed, I couldn’t see any indication of even an attempted breech. I left the modem connected after hours and watched the lights on the lan for any activity; all was quiet.

I downloaded other root kit checkers; they all said the system was clean. So what was going on?

Well, it was my own doing. I completely forgot that I had protected this system with pam_tally in addition to other things.

I had mistyped my password twice and locked myself out. I reset that every hour during working hours, so it had cleared itself quickly, which is why I could log in the next day.

Still, it was a good thing. I had been lax and had not checked any of my systems for rootkits in quite a while. That’s probably not a good idea.

For example, RKHunter showed me that I had “PermitRootLogin yes” in one of my boxes sshd_config. That had been intended as a momentary convenience, but I had forgotten to take it out.

SShd wasn’t actually running on that box, so it really didn’t matter, but I could have easily turned it on without checking the configuration. RkHunter looks for things like that and more.

Add to | DiggThis | Yahoo! My Web

A.P. Lawrence provides SCO Unix and Linux consulting services