Detecting root kits?
Dan Coutu
coutu at snowy-owl.com
Mon Jun 23 10:00:12 EDT 2003
Tom Fogal wrote:
>>Last week I uncovered a RedHat box that had been rooted (fortunately it
>>had only recently been installed and nothing important was on it.)
>>Rather than me having to go through a hands-on intensive process of
>>analyzing every other Linux system on the LAN are there tools that I can
>>use to determine whether or not this SOB got into other systems?
>>
>>Any pointers to where I can learn more about the different types of
>>rootkits and how to counter or detect them are also welcome.
>>
>>Thanks!
>>--
>
>
> i seem to remember freebsd having a nightly cronjob script that would save
> the md5sum of every file on the system to a file.. and then compare it with
> the md5sum of the same file that it generated 24 hours before. differences were
> mailed to root.. i always thought this to be a good idea, perhaps you could
> implement it yourself? seems like a simple shell script.
>
> anyway, that solution doesnt work well in your current situation. do you have
> another box w/ the same updates, that you know is clean? you could compare
> md5's from that one...
>
> HTH,
>
> -tom
Something like this can be done by utilities like tripwire. The catch is
that they need to have been setup *before* the breakin occurs. I'm
trying to play catchup here with systems that are in an unknown state of
security (or lack thereof.)
I also know how to detect this particular hack but it involves a lot of
manual effort with copying known good utilities (like ls and lsof) and
examining a number of different directories and files. Quite time consuming.
--
Dan Coutu
Managing Director
Snowy Owl Internet Consulting, LLC
http://www.snowy-owl.com/
More information about the gnhlug-discuss
mailing list