Which files and which directories should be scanned for viruses, trojans, rootkits, etc... on a Linux system ?

heh, well lucky for you one of the fortunate side effects of using an opensource software is that everyone gets to read the code, if there was adware/spyware, someone would cry wolf about it

and since linux has a much smaller desktop market share, is most of the baddies go for the easy kill (windows) so your fairly safe, as far as root kits go, its possible but a hacker would prolly have to do it to you, and if a hacker wants you hes going to get you, security just keeps honest ppl honest

follow the basic security standards and use common sense, you will be just fine from the baddies

Originally posted by dkeav
heh, well lucky for you one of the fortunate side effects of using an opensource software is that everyone gets to read the code, if there was adware/spyware, someone would cry wolf about it

and since linux has a much smaller desktop market share, is most of the baddies go for the easy kill (windows) so your fairly safe, as far as root kits go, its possible but a hacker would prolly have to do it to you, and if a hacker wants you hes going to get you, security just keeps honest ppl honest

follow the basic security standards and use common sense, you will be just fine from the baddies

I would also recomended you use some type of firewall software if you have a broadband net connection what distro are you running? for help securing your box checkout How to secure a Linux desktop G4L search results (http://www.google.com/linux?hl=en&lr=lang_en&ie=ISO-8859-1&safe=off&q=How+to+secure+a+Linux+desktop&btnG=Google+Search) & start with this site in perticular Securing your Linux desktop system (http://www.princeton.edu/~psg/unix/linux/linuxsecurity.html)

to build on bosox post, he is very right, but i might suggest that the firewall be a hardware firewall, this can be done very cheaply just by using an old redundant pc and a couple of nic cards, since a firewall is only as good as the os it runs on, it is nice that if the system gets corrupted it is localized to the dmz'ed machine, and not your main computer or internal network

Originally posted by dkeav
to build on bosox post, he is very right, but i might suggest that the firewall be a hardware firewall, this can be done very cheaply just by using an old redundant pc and a couple of nic cards, since a firewall is only as good as the os it runs on, it is nice that if the system gets corrupted it is localized to the dmz'ed machine, and not your main computer or internal network

Thanks dkeav, I totaly forgot about the hardware FW route:eek: it must be getting late I am slipping

You generally don't need to worry about viruses on a Linux computer. However rootkits and trojans on the other hand have a much higher priority then a virus when it comes to Linux security.

With rootkits they will come in two froms. There are application rootikits that carry some kind of a trojaned program with them that will infect a application. The other kind of rootkit is known as kernel level rootkit.. These for the most part will get loaded through a loadable kernel module then infect the kernel itself bypassing all system call instruction pointers. Not good.

Application rootkits are much more common then the kernel ones.. You can many times find these by just searching around for specific trojan binaries within your computer.

For the kernel level rootkits you need to do a lot more detective work to find them (have a look around google for more info.). There are a few applications that can help with this.. A common one is called chrootkit it will check for signs for both kernel and application rootkits.. Another application that can be used is Tripwire, this will check the integrity of files and report back alterations to users if something changes. One of the best ways to protect yourself from things like this is to just learn about them, and how they work.

Thanks for the info everyone :)

Originally posted by DoctorKaos
Thanks for the info everyone :)

Your welcome:D

You probably want to install something like Tripwire on your system so that it will alert you whenever files have been modified. Generally you want to keep track of everything in /etc, especially your passwd, group, and shadow files. Then your /sbin, /bin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, and anywhere else you keep binaries.

This will keep you safe for the most part but don't expect it to keep you 100% secure. Best solution is to keep good backups so that in the event that something does happen, you can just wipe system and restore from backup.