Sunday, December 25, 2005

ClamAV: Antivirus for linux

There are only two Linux viruses and neither has been found alive in the wild. On the other hand, there are eighteen bazillion infectious viruses on Windows and that number grows steadily every day, that doesn’t mean you shouldn’t ignore anti-virus software.

unlike some popular commercial anti-virus products for Windows, the Linux equivalents aren’t CPU and memory hogs.One of the best free (as in speech and beer) Linux anti-virus packages is ClamAV. Installing ClamAV is really simple. Most distributions have binaries available, or if you’re distro supports apt-get

just type:
# apt-get install clamav

I have a Mandrake and for installation all i did was :

[root@mybox rkhunter]# urpmi clamav
To satisfy dependencies, the following packages are going to be installed (2 MB):
clamav-0.61-0.20030829.1mdk.i586
clamav-db-0.61-0.20030829.1mdk.i586
libclamav1-0.61-0.20030829.1mdk.i586
Is this OK? (Y/n) y
medium "contrib" uses an invalid list file:
mirror is probably not up-to-date, trying to use alternate method

ftp://ftp.is.co.za/mirror/mandrivalinux/official/9.2/contrib/i586/./clamav-0.61-0.20030829.1mdk.i586.rpm
ftp://ftp.is.co.za/mirror/mandrivalinux/official/9.2/contrib/i586/./clamav-db-0.61-0.20030829.1mdk.i586.rpm
ftp://ftp.is.co.za/mirror/mandrivalinux/official/9.2/contrib/i586/./libclamav1-0.61-0.20030829.1mdk.i586.rpm
The following packages have bad signatures:
/var/cache/urpmi/rpms/clamav-0.61-0.20030829.1mdk.i586.rpm: Invalid signature ((SHA1) DSA sha1 md5 (GPG) (MISSING KEY) GPG#604aa4e4 NOT OK)
/var/cache/urpmi/rpms/clamav-db-0.61-0.20030829.1mdk.i586.rpm: Invalid signature ((SHA1) DSA sha1 md5 (GPG) (MISSING KEY) GPG#604aa4e4 NOT OK)
/var/cache/urpmi/rpms/libclamav1-0.61-0.20030829.1mdk.i586.rpm: Invalid signature ((SHA1) DSA sha1 md5 (GPG) (MISSING KEY) GPG#604aa4e4 NOT OK)
Do you want to continue installation ? (y/N) y
installing /var/cache/urpmi/rpms/clamav-0.61-0.20030829.1mdk.i586.rpm /var/cache/urpmi/rpms/libclamav1-0.61-0.20030829.1mdk.i586.rpm /var/cache/urpmi/rpms/clamav-db-0.61-0.20030829.1mdk.i586.rpm
Preparing... ##################################################
1:libclamav1 ##################################################
2:clamav-db ##################################################
3:clamav ##################################################

Thats it

If you’re lucky enough to use a Debian-based distro, ClamAV sets itself up. If you’re using another distro, you may have to create a new user named clamav, change a few permissions, and set up a few cron jobs. For detailed instructions, see the Clam AntiVirus User Manual at http://www.clamav.net/doc/latest/html/.


No one wants to have to think about anti-virus software once it’s installed. Any good anti-virus package should automatically update itself with new virus definitions, the more often the better. In addition, the anti-virus software should perform a full system scan at a regularly scheduled interval. Finally, integration with email software is vital: the best place to intercept new viruses is at this common point of entry.
ClamAV can handle all of these tasks. ClamAV runs freshclam to check for updates. By default, Debian systems run freshclam runs hourly. If you want to change that number, simply edit the Checks line in /etc/clamav/freshclam.conf.
To check your system, ClamAV uses clamscan. There are a wealth of options available for clamscan; to see them, use man clamscan. A quick and dirty way to scan your home directory is to use clamscan as follows:
[root@mybox rkhunter]# clamscan -ri --move=/tmp/virus /home/sriram/

----------- SCAN SUMMARY -----------
Known viruses: 9586
Scanned directories: 6
Scanned files: 18
Infected files: 0
Data scanned: 0.14 MB
I/O buffer size: 131072 bytes
Time: 0.857 sec (0 m 0 s)

[root@mybox rkhunter]#


The –r option tells ClamAV to recursively scan your directory and every other directory and file in it, while –i makes things a bit quieter, telling ClamAV to only print the names of infected files it finds. If a virus is found in a file, ClamAV moves the file to /tmp/virus/, but that directory must already exist before clamscan starts working. Set up a cron job to create /tmp/virus/ and run clamscan and you have an automated way to keep your system clean and healthy.

Many Linux email clients already support ClamAV directly, including KMail (which allows you to pick the anti-virus program of your choice) and Sylpheed Claws. Others, such as Evolution, require you to manually create filters that pipe email through ClamAV. (C’mon, Evolution (and others)! Let us specify ClamAV or other anti-virus programs directly!)

There are windowed interfaces for ClamAV, if you really want them (check out the enormous list at http://www.clamav.net/3rdparty.html). There are also lots of other programs and libraries that interface with ClamAV, including php-clamav (which allows ClamAV to work with PHP), python-clamav (ditto, but for Python), and clamav-milter (which scans messages processed by sendmail).

If you want to protect your Linux server or desktop from viruses, give ClamAV a look. It’s a powerful, well-supported open source project, and it just keeps getting better and better.

The Rootkit hunter

Finding Rootkits, Infections and files :

Rootkit Hunter, available from http://www.rootkit.nl/, is a scanning tool that consists of one shell script, a few text-based databases, and optional Perl modules. Written by Michael Boelen, it’s licensed under the GPL. Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. It runs a variety of tests to look for default files used by rootkits (using an MD5 hash compare that), incorrect file permissions for binaries, suspected Strings in Linux loadable kernel module.

Download RootKit From :
+++++++++++++++++++++
Step1
-----
http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

Step 2 :
-------
Untar it in /usr/local/src/

tar -zxvf rkhunter-1.2.7.tar.gz

cd rkhunter

Step 3 :
-------

Now run installer.sh

[root@mybox rkhunter]# ./installer.sh

Rootkit Hunter installer 1.2.4 (Copyright 2003-2005, Michael Boelen)
---------------

Starting installation/update

Checking /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Created
- Checking /usr/local/rkhunter/etc...Created
- Checking /usr/local/rkhunter/bin...Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Created
- Checking /usr/local/etc...Exists
- Checking /usr/local/bin...Exists
Checking system settings...
- Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... OK
Installing RK Hunter binary... OK
Configuration updated with installation path (/usr/local/rkhunter)

Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)


Step 4 :
-------
Configuration Files


The installer places a shell script in /usr/local/bin/

The configuration file in /usr/local/etc/

Rest of the files in /usr/local/rkhunter/

You can override /usr/local/ with the --installdir parameter.


With everything installed, you’re ready to run the program. One nice thing about Rootkit Hunter is that it keeps a variety of information such as known good program versions, blacklisted tools and binaries, and MD5 hashes in continually updated databases, much like a virus scanner. The first thing to do is make sure all of the databases are current.
# /usr/local/bin/rkhunter ––update

If anything is out of date, it’s automatically updated. There’s also a quick and easy way to verify that you’re running the latest version of Rootkit Hunter itself:
# /usr/local/bin/rkhunter ––versioncheck
This version: 1.2.7
Latest version: 1.2.7
To run all of the Rootkit Hunter security checks and see a verbose, colorized status report, run:
# /usr/local/bin/rkhunter – – checkall

While the Rootkit Hunter script has extremely sane defaults, you can edit its configuration file if you’d like to whitelist hidden files or directories, change the install directory, or ignore the fact that remote root SSH logins are allowed. As with any software you install, take the time to thoroughly look through the configuration file to learn what the software is capable of and what each option does.
Once you’re confident that everything is installed and working correctly, add Rootkit Hunter to your list of regular system chores in the system cron file. To do that, first create a script with the following:
#!/bin/sh
(
/usr/local/bin/rkhunter ––versioncheck
/usr/local/bin/rkhunter ––update
/usr/local/bin/rkhunter ––cronjob ––report-warnings-only
) | /bin/mail –s ’rkhunter output’ root
This script performs a version check, updates your databases, runs Rootkit Hunter in a mode conducive to cron (––cronjob disables colored output and ––report-warnings-only sets a severity level), and then mails the results to root. You should run this script as root, via cron, at least once a day.

Rootkit Hunter performs a similar function as chkrootkit. However, it works in a different manner and offers some additional features, such as storing information in live databases. Which one should you use? Since both are open source and are free to download and use, install both, see how each one works behind the scenes, and choose the one that best suits your needs and your environment.

Example to check :

[root@mybox rkhunter]# rkhunter --checkall


Rootkit Hunter 1.2.7 is running

Determining OS... Ready


Checking binaries


This will list the complete details..... of binaries, rootkits, torjans, Suspicious files and amlware etc ...