Yesterday, I was invaded by a RootKit.

It seems there where some stealth application added to my /tmp directory, and seems to be stealing bandwidth from my server.

I was given this URL as to a fix to secure my /tmp directory, and I am still trying to get through this tutorial:

http://sysadmingear.blogspot.com/2007/10/how-to-secure-tmp-and-devshm-partition.html

I wanted to make some notes, and findings of securing these directories for myself:

<em><strong>### Step 1</strong></em>

<em><strong># 1a:</strong></em>
dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000

<em><strong># 1b:</strong></em>
/sbin/mkfs.ext3 /dev/tmpFS

<em><strong># 1c:</strong></em>
cp -Rpf /tmp /tmpbackup

<em><strong># 1d:</strong></em>
mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp

<em><strong># 1e:</strong></em>
chmod 1777 /tmp

<em><strong># 1f:</strong></em>
cp -Rpf /tmpbackup/* /tmp/

<em><strong># 1g:</strong></em>
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)

<em><strong># 1h:</strong></em>
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0

<em><strong># 1i:</strong></em>
mount -o remount /tmp

<em><strong>### step 2</strong></em>

<em><strong># 2a:</strong></em>
mv /var/tmp /var/tmpbackup

<em><strong># 2b:</strong></em>
ln -s /tmp /var/tmp

<em><strong># 2c:</strong></em>
cp /var/tmpbackup/* /tmp/

<em><strong>### Edit your /etc/fstab:</strong></em>

<em><strong># 3a:</strong></em>
nano /etc/fstab

<em><strong># 3a:
#change:</strong></em>
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

<em><strong># 3b:</strong></em>
<em><strong>#Remount /dev/shm:</strong></em>
mount -o remount /dev/shm
I went through these items, and here where my results, one step section at a time:
<em><strong># 1a:</strong></em>
[root@djmick ~]# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
dd: writing `/dev/tmpFS': No space left on device
516517+0 records in
516516+0 records out
528912384 bytes (529 MB) copied, 24.2198 seconds, 21.8 MB/s

<em><strong># 1b:</strong></em>
[root@djmick ~]# /sbin/mkfs.ext3 /dev/tmpFS
mke2fs 1.39 (29-May-2006)
/dev/tmpFS is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
129536 inodes, 516516 blocks
25825 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
64 block groups
8192 blocks per group, 8192 fragments per group
2024 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

[root@djmick ~]# cd /tmp

<em><strong># 1c:</strong></em>
[root@djmick tmp]# cp -Rpf /tmp /tmpbackup

<em><strong># 1d:</strong></em>
[root@djmick tmp]# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp

<em><strong># 1e:</strong></em>
[root@djmick tmp]# chmod 1777 /tmp

<em><strong># 1f:</strong></em>
<span style="color: #ff0000;">[root@djmick tmp]# cp -Rpf /tmpbackup/* /tmp/
cp: cannot stat `/tmpbackup/*': No such file or directory</span>

<em><strong># 1g:</strong></em>
<span style="color: #ff0000;">[root@djmick tmp]# /dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
-bash: syntax error near unexpected token `('</span>

<em><strong># 1h:</strong></em>
[root@djmick tmp]# nano /etc/fstab<em>
#--&gt; Added: /dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0</em>

<em><strong># 1i:</strong></em>
[root@djmick tmp]# mount -o remount /tmp
In the above step, I ran into 2 issues. On 1f, trying to copy data from /tmpbackup to /tmp failed as it could not find /tmp and I am not sure why as /tmpbackup is there. I only had 1 small log file in that directory, so I did not worry about this too much. One thing I did notice, is that as per the directions, I created a small test.sh script and uploaded it to my /tmp directory and chmod’d it to 777 in order to execute the script. In my FTP program, I see the file:

croppercapture1

But in putty, I do not see this file:

croppercapture2

This seems that no files will be visible in this directory. So mission accomplished.

Next issue was with 1g. As per the directions, this was suppose to be an output from some command, but I am unsure about this step…. [TODO: add result later]

Next, Step 2:

[TODO: this step skipped for now] as I need more time to monitor my system to ensure that none of my applications have issues running on the new /tmp directory.

Next, Step 3:

<em><strong># 3a:</strong></em>
[root@djmick tmp]# nano /etc/fstab

<em><strong># 3a:
#--&gt;changed:</strong></em>
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

<em><strong># 3b:</strong></em>
[root@djmick tmp]# mount -o remount /dev/shm
Step 3 was very easy to understand and execute.

They also recommend installing and using  RKHunter:

http://sysadmingear.blogspot.com/2007/10/how-to-install-rkhunter.html

I found the installation quite easy (compared to securing my /tmp dir), and when it runs, I was happy to see a fairly thorough scan of my system:

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 80 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)
I will edit this posting once I finally get a resolution on securing my /tmp DIR. But the strange thing is why something like this would not already be included in all  Linux Installs if the issue is fairly well known…?

Seriously, RootKits where first created in 1990.

Mick Knutson

Java, JavaEE, J2EE, WebLogic, WebSphere, JBoss, Tomcat, Oracle, Spring, Maven, Architecture, Design, Mentoring, Instructor and Agile Consulting. http://www.baselogic.com/blog/resume

View all posts

Java / JavaEE / Spring Boot Channel

BLiNC Supporters

BLiNC Adsense

Archives

Newsletter