Detecting root kits?

[Dan Coutu]

Tom Fogal wrote:
>>Last week I uncovered a RedHat box that had been rooted (fortunately it 
>>had only recently been installed and nothing important was on it.) 
>>Rather than me having to go through a hands-on intensive process of 
>>analyzing every other Linux system on the LAN are there tools that I can 
>>use to determine whether or not this SOB got into other systems?
>>
>>Any pointers to where I can learn more about the different types of 
>>rootkits and how to counter or detect them are also welcome.
>>
>>Thanks!
>>-- 
> 
> 
> i seem to remember freebsd having a nightly cronjob script that would save
> the md5sum of every file on the system to a file.. and then compare it with
> the md5sum of the same file that it generated 24 hours before. differences were
> mailed to root.. i always thought this to be a good idea, perhaps you could
> implement it yourself? seems like a simple shell script.
> 
> anyway, that solution doesnt work well in your current situation. do you have
> another box w/ the same updates, that you know is clean? you could compare 
> md5's from that one...
> 
> HTH,
> 
> -tom

Something like this can be done by utilities like tripwire. The catch is 
that they need to have been setup *before* the breakin occurs. I'm 
trying to play catchup here with systems that are in an unknown state of 
security (or lack thereof.)

I also know how to detect this particular hack but it involves a lot of 
manual effort with copying known good utilities (like ls and lsof) and 
examining a number of different directories and files. Quite time consuming.

-- 

Dan Coutu
Managing Director
Snowy Owl Internet Consulting, LLC
http://www.snowy-owl.com/