[lfs-support] LFS + Rootkits
bruce.dubbs at gmail.com
Sun Apr 8 11:32:24 PDT 2012
> First this is not a support request but a live story from someone
> using LFS heavily in real life situations and servers and why I would
> choose LFS before any distribution based server.
> Let me introduce myself. Im into LFS since version number 3 - 4.
> Can't remember exactly anymore. A lot of water under the bridge since
> then. For the past four years I work for a governmental agency where
> I have installed some servers, all running LFS. From version 6.1 -
> 6.8 (32 and 64 bit) (DNS, WEB, MAIL and so on).
> Well after years of using it one of our servers got hacked (because
> some of the users didn't pay attention to my ramblings about
> usernames and passwords) and a rootkit was installed.
A very interesting story. I'm interested how a regular user was able to
install a rootkit. I realize that you may not know.
> When I logged in and tried to ls I saw that ls gave me a segmentation
> fault error. After some more minutes I saw that there are some files
> that I didn't install.
Can you say what the file names/locations were?
> Then it hit me. "YOU GOT HACKED". But the services still
> worked fine. So I put up a very restrictive Iptables on the router
> for this server. Just the service could go through. After checking
> the log files I figured that the intrusion took place 5 days before
> when I had to open iptables for ssh for one of our 3rd party
> maintanance crew. So why is LFS better than distros? I made heavily
> customizations during the compilations so when the rootkit was
> applied none of the new installed apps worked. Not even ls. Because
> they were compiled for normal distros and normal shared libs which
> you can't use on custom made systems. The baseline is this, the
> intruder couldn't make any heavy damage, the services still work, the
> intruder was detected (which is very dificult with rootkits, this one
> even rkhunter didn't detect), downtime will be only the time when I
> extract the non-compromised documents to the new server which even
> will be more hardened.
May I suggest tripwire. It does require a bit of work when files are
updated, but will catch this sort of thing.
More information about the lfs-support