79.19 Security Check

Visit Shields Up to test the security of your machine. This web site will contact your host and perform a number of very informative security tests.

The nessus package is an excellent package for checking known security problems. Install on one machine both nessus (the client) and nessusd (the server).

For nessusd you need to create a user account using nessusd-adduser. One suggestion is to simply create a user with the same name as your user account (e.g., kayon). Then start the daemon (server) with:

  # nessusd -D

Note that this daemon is not automatically run within the /etc/init.d framework.

As a user start up the nessus client and login with your user name. Go to the Target selection tab and type in a list of hosts you wish to check, comma separated. If you want to test all machine on your network, try something like 192.167.0.1/24.

After you click Start the scan the checking is initiated. Eventually a report will be presented. You can save the report in various formats, including LaTeX.

The testing is extensive and the report provides suggestions for eliminating security holes.

The chkrootkit package provides the chkrootkit command to check for signs of rootkits on the local system. Run the command as root and scan the output for warnings.


  # chkrootkit
  ROOTDIR is `/'
  Checking `amd'... not found
  Checking `basename'... not infected
  Checking `biff'... not found
  Checking `chfn'... not infected
  Checking `chsh'... not infected
  Checking `cron'... not infected
  Checking `date'... not infected
  Checking `du'... not infected
  Checking `dirname'... not infected
  Checking `echo'... not infected
  Checking `egrep'... not infected
  Checking `env'... not infected
  Checking `find'... not infected
  Checking `fingerd'... not found
  Checking `gpm'... not found
  Checking `grep'... not infected
  Checking `hdparm'... not infected
  Checking `su'... not infected
  Checking `ifconfig'... not infected
  Checking `inetd'... not infected
  Checking `inetdconf'... not infected
  Checking `identd'... not found
  Checking `init'... not infected
  Checking `killall'... not infected
  Checking `ldsopreload'... not infected
  Checking `login'... not infected
  Checking `ls'... not infected
  Checking `lsof'... not found
  Checking `mail'... not infected
  Checking `mingetty'... not found
  Checking `netstat'... not infected
  Checking `named'... not found
  Checking `passwd'... not infected
  Checking `pidof'... not infected
  Checking `pop2'... not found
  Checking `pop3'... not found
  Checking `ps'... not infected
  Checking `pstree'... not infected
  Checking `rpcinfo'... not infected
  Checking `rlogind'... not found
  Checking `rshd'... not found
  Checking `slogin'... not infected
  Checking `sendmail'... not infected
  Checking `sshd'... not infected
  Checking `syslogd'... not infected
  Checking `tar'... not infected
  Checking `tcpd'... not infected
  Checking `tcpdump'... not infected
  Checking `top'... not infected
  Checking `telnetd'... not found
  Checking `timed'... not found
  Checking `traceroute'... not found
  Checking `vdir'... not infected
  Checking `w'... not infected
  Checking `write'... not infected
  Checking `aliens'... no suspect files
  Searching for sniffer's logs, it may take a while... nothing found
  Searching for HiDrootkit's default dir... nothing found
  Searching for t0rn's default files and dirs... nothing found
  Searching for t0rn's v8 defaults... nothing found
  Searching for Lion Worm default files and dirs... nothing found
  Searching for RSHA's default files and dir... nothing found
  Searching for RH-Sharpe's default files... nothing found
  Searching for Ambient's rootkit (ark) default files and dirs... nothing found
  Searching for suspicious files and dirs, it may take a while... nothing found
  Searching for LPD Worm files and dirs... nothing found
  Searching for Ramen Worm files and dirs... nothing found
  Searching for Maniac files and dirs... nothing found
  Searching for RK17 files and dirs... nothing found
  Searching for Ducoci rootkit... nothing found
  Searching for Adore Worm... nothing found
  Searching for ShitC Worm... nothing found
  Searching for Omega Worm... nothing found
  Searching for Sadmind/IIS Worm... nothing found
  Searching for MonKit... nothing found
  Searching for Showtee... nothing found
  Searching for OpticKit... nothing found
  Searching for T.R.K... nothing found
  Searching for Mithra... nothing found
  Searching for OBSD rk v1... nothing found
  Searching for LOC rootkit ... nothing found
  Searching for Romanian rootkit ... nothing found
  Searching for Suckit rootkit ... nothing found
  Searching for Volc rootkit ... nothing found
  Searching for Gold2 rootkit ... nothing found
  Searching for TC2 Worm default files and dirs... nothing found
  Searching for Anonoying rootkit default files and dirs... nothing found
  Searching for ZK rootkit default files and dirs... nothing found
  Searching for ShKit rootkit default files and dirs... nothing found
  Searching for anomalies in shell history files... nothing found
  Checking `asp'... not infected
  Checking `bindshell'... not infected
  Checking `lkm'... You have     5 process hidden for ps command
  Warning: Possible LKM Trojan installed
  Checking `rexedcs'... not found
  Checking `sniffer'... eth0 is not promisc
  Checking `w55808'... not infected
  Checking `wted'... nothing deleted
  Checking `scalper'... not infected
  Checking `slapper'... not infected
  Checking `z2'... nothing deleted

Note that with current versions of ps and chkrootkit (as of 3 December 2003), ps reports the PID of some kernel processes as 0 which chkrootkit does not match to the process. Output from ps is:

  USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
  root         1  0.0  0.0  1484  488 ?        S    Dec02   0:00 init
  root         2  0.0  0.0     0    0 ?        SW   Dec02   0:00 keventd
  root         0  0.0  0.0     0    0 ?        SWN  Dec02   0:00 ksoftirqd_CPU0
  root         0  0.0  0.0     0    0 ?        SWN  Dec02   0:00 ksoftirqd_CPU1
  root         0  0.0  0.0     0    0 ?        SW   Dec02   0:00 kswapd
  root         0  0.0  0.0     0    0 ?        SW   Dec02   0:00 bdflush
  root         0  0.0  0.0     0    0 ?        SW   Dec02   0:00 kupdated
  root        22  0.0  0.0     0    0 ?        SW   Dec02   0:00 aacraid

For LKM warnings you can get the process ID with:

  # chkrootkit -x lkm
  ROOTDIR is `/'
  ###
  ### Output of: ./chkproc -v -v
  ###
  PID     3: not in ps output
  CWD     3: /
  EXE     3: /
  PID     4: not in ps output
  CWD     4: /
  EXE     4: /
  PID     5: not in ps output
  CWD     5: /
  EXE     5: /
  PID     6: not in ps output
  CWD     6: /
  EXE     6: /
  PID     7: not in ps output
  CWD     7: /
  EXE     7: /
  You have     5 process hidden for ps command

The process information can be checked in /proc/\(<\)process id\(>\)/status:

  $ cat /proc/3/status
  Name:   ksoftirqd_CPU0
  State:  S (sleeping)
  Tgid:   0
  Pid:    3
  PPid:   1
  TracerPid:      0
  Uid:    0       0       0       0
  Gid:    0       0       0       0
  FDSize: 32
  Groups:
  SigPnd: 0000000000000000
  SigBlk: ffffffffffffffff
  SigIgn: 0000000000000000
  SigCgt: 0000000000000000
  CapInh: 0000000000000000
  CapPrm: 00000000ffffffff
  CapEff: 00000000fffffeff

You can also look at the processes involved in the pstree:

  $ pstree -p |grep '([34567])'
        |-bdflush(6)
        |-ksoftirqd_CPU0(3)
        |-ksoftirqd_CPU1(4)
        |-kswapd(5)
        |-kupdated(7)


Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0