removing a Linux Keylogger

[dsr at tao.merseine.nu (dsr at tao.merseine.nu)]

On Mon, Jul 25, 2005 at 01:00:50PM -0400, Grant M. wrote:
> Rajiv Aaron Manglani wrote:
> >i'm curious to know if either http://www.chkrootkit.org/ or http:// 
> >www.rootkit.nl/projects/rootkit_hunter.html detects it.
> 
> I've had someone at the office power-off my machine. I'll bring it up 
> tomorrow off of the network and run these and let you know. At this 
> point it is more a sense of curiosity then anything. And I would like to 
> know how to prevent it in the future, as there were only 2 accounts on 
> the machine, and neither of them had a guess-able password. The only 
> thing that I can figure is that some other machine that logged into this 
> one has a keylogger as well.

First, you need to secure the machine by turning off services
that you don't use. Run nmap against the machine from a neighbor
to see what is still potentially open.

Second, you want to run a firewall on the machine that rejects
excessive connection attempts. This iptables fragment:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP

will generally prevent scriptkiddies from brute-forcing your SSH
accounts, by limiting connection attempts to 3 per minute per IP
address.

You can also nail down SSHd in two other ways: limit the users
accepted (AllowUsers) and limit the machines that can connect to
you. Finally, you can switch to using keys instead of passwords.

Personally, I think AllowUsers is reasonable, but I am
frequently at strange but trustworthy IP addresses and would
like to get back home. If I can't manage an SSH connection
within 3 attempts, I probably don't have a reliable IP
connection anyway.

Third, you may want to watch for unusual events. Passively,
logwatcher can scan your logs for unusual patterns; actively,
you may wish to run Snort or another IDS.

-dsr-