[lfs-support] LFS + Rootkits

Bruce Dubbs bruce.dubbs at gmail.com
Sun Apr 8 11:32:24 PDT 2012

loki wrote:
> Heya,
> First this is not a support request but a live story from someone 
> using LFS heavily in real life situations and servers and why I would 
> choose LFS before any distribution based server.

> Let me introduce myself. Im into LFS since version number 3 - 4. 
> Can't remember exactly anymore. A lot of water under the bridge since 
> then. For the past four years I work for a governmental agency where 
> I have installed some servers, all running LFS. From version 6.1 - 
> 6.8 (32 and 64 bit)  (DNS, WEB, MAIL and so on).

> Well after years of using it one of our servers got hacked (because 
> some of the users didn't pay attention to my ramblings about 
> usernames and passwords) and a rootkit was installed. 

A very interesting story.  I'm interested how a regular user was able to 
install a rootkit.  I realize that you may not know.

> When I logged in and tried to ls I saw that ls gave me a segmentation
> fault error. After some more minutes I saw that there are some files
> that I didn't install.

Can you say what the file names/locations were?

> Then it hit me. "YOU GOT HACKED". But the services still 
> worked fine. So I put up a very restrictive Iptables on the router 
> for this server. Just the service could go through. After checking 
> the log files I figured that the intrusion took place 5 days before 
> when I had to open iptables for ssh for one of our 3rd party 
> maintanance crew. So why is LFS better than distros? I made heavily 
> customizations during the compilations so when the rootkit was 
> applied none of the new installed apps worked. Not even ls. Because 
> they were compiled for normal distros and normal shared libs which 
> you can't use on custom made systems. The baseline is this, the 
> intruder couldn't make any heavy damage, the services still work, the 
> intruder was detected (which is very dificult with rootkits, this one 
> even rkhunter didn't detect), downtime will be only the time when I 
> extract the non-compromised documents to the new server which even 
> will be more hardened.

May I suggest tripwire.  It does require a bit of work when files are 
updated, but will catch this sort of thing.

   -- Bruce

More information about the lfs-support mailing list