6

I have a system that was possibly rootkited (the IRC bot was installed and +ai attributes were set on /usr/bin, /usr/sbin, /bin, /sbin). The IRC bots were deleted and system was upgraded to 5.0.4 from 4.0. I'm afraid that something in the folders I've mentioned was modified. I can't reinstall the box, so is there any way to check the integrity of the system? I have already checked rkhunter and chrootkit.

Starfish
  • 2,716
  • 24
  • 28
artvolk
  • 309
  • 2
  • 10
  • 1
    Can you simply restore your backup to a temp location on some other system, and build md5/sha1 sums of them, then compare those against the server? You do have a backup right? – Zoredache Mar 19 '10 at 07:37

6 Answers6

8

debsums, but it will only check files installed by packages, it can't tell you about extra files.

ptman
  • 27,124
  • 2
  • 26
  • 45
  • 9
    If you suspect your system has been compromised you can't completely trust that. At the minimum you should boot from a livecd use a copy of debsums that isn't from the potentially compromised environment. – Zoredache Mar 19 '10 at 07:39
  • 8
    The only real solution to a compromised system is from-scratch reinstall. – ptman Mar 19 '10 at 09:16
7

When a system is compromised you're never sure if everything was cleaned and the best solution is always to reinstall the system, but you need to do some forensics to prevent that from happening again.

chkrootkit and rkhunter are good rootkit checkers but they're not infalible.

Also, run nmap from an outside machine and see if there's some port opened that you're not expecting.

debsums is also a good help when checking for compromised binaries.

And do you have any ideas how the hacker got access to the machine and which service was vulnerable? Focus especially there (but not only there). See if there are known issues with that software version. Check for every possible log you have in your filesystem. If you have a mrtg trending application (like ganglia, munin or cacti) check it for possible time frames of the attack.

You should also review your machine considering the following topics:

  • shut the services you don't need

  • test backup on a regular basis

  • follow the least privilege principle

  • have your services updated, especially regarding security updates

  • don't use default credentials

Marco Ramos
  • 3,100
  • 22
  • 25
1

What about using AIDE?

https://help.ubuntu.com/community/FileIntegrityAIDE

  • AIDE is only a solution if you have a checksum of the known good files. After a suspected compromise it's not going help you sort out the good from the bad. – 3dinfluence May 13 '10 at 02:15
1

under debian there is the awesome tool : chkrootkit

aptitude install chkrootkit :)
Razique
  • 2,266
  • 1
  • 19
  • 23
  • 2
    `chkrootkit` is garbage. Had a client with 2 rootkits and it did not detect either one. `apt-get install rkhunter` – solefald May 12 '10 at 22:38
  • Nowadays, I also reckon that rkhunter is better than chkrootkit, but neither of them is infalible. – Marco Ramos May 14 '10 at 12:59
1

There is an ideal tool invented for this kind of task: debcheckroot

It compares the sha256sum of each file and because of this it does not miss rootkits. Be aware that chkrootkit and rkhunter are known not to detect government malware from western intelligence agencies like the NSA. The results are also presented in a better, more readable format than debsums.

kenlukas
  • 2,886
  • 2
  • 14
  • 25
Odo Poppinger
  • 11
  • 1
0

There is one definitive tool you need to know: debcheckroot [1]. It was even used by the French ministery of defense (see Sylvain Sécherre, debian-security May 2022). The definitive advantage of that tool over say chkrootkit or rkhunter is that it can also spot yet unknown rootkits by comparing file sha256sums against pristine files on your install media or online repo. [https://www.elstel.org/debcheckroot/][1]

Elmar Stellnberger
  • 1
  • 1