Detecting root kits?

Dan Coutu coutu at snowy-owl.com
Mon Jun 23 10:43:34 EDT 2003


brian wrote:
> FWIW, I've also found a lot of rootkits hidden in the /home and games
> directories on various systems.  For starters, I'd also compare the
> sizes of your various utils, like top, ls, more, etc to known good
> utils.  If you can mount the infected disk on another clean server as RO
> to analyze it, that would also make diagnosis easier.

This is an example of the manual effort that I'm trying to avoid. Doing 
this with upward of 40 systems takes too long and results in way too 
much downtime.

>>
>>The chkrootkit package is a quick once over.  The best place to look is in 
>>/dev, as that's where a lot of rootkits hide their stuff.  I find a 
>>command like this is pretty useful:
>>	find /dev -ls -maxdepth 1|grep d[-r][-w]
>>

I'm pulling over the chkrootkit package. Sounds like exactly what I'm 
looking for!

>>and then make sure those directories that it returns are actually supposed 
>>to be there.  ls is almost always trojaned, hence the reason to use find.  

FYI, in this case a lot of utilities were trojaned. The list is:
dir, find, locate, md5sum, pstree, slocate, top, lsof, ifconfig, 
syslogd, login, ls, netstat, and ps. Interestingly I was able to 
determine this because all of these were owned by a regular user account 
rather than root!

The system also had these odd things: two hidden directories (that I've 
found, there may be more) /var/nis/..\ \  (that's two dots and two 
spaces) and /etc/nhm/... (three dots.) Both had binary and data files 
used to get at things that you'd rather keep private and included a 
trojaned httpd and a utility called write that was collecting data to be 
sent elsewhere. There was also a file /etc/cron.daily/sync that sends 
email to a yahoo.com account with the contents of /etc/.mc

In /var/tmp there was a file t.tgz that contained a file called t which 
had been unpacked in that same directory with owner of root and t was 
setuid, setgid containing binary data. The file utility did not think it 
was a normal executable though.

-- 

Dan Coutu
Managing Director
Snowy Owl Internet Consulting, LLC
http://www.snowy-owl.com/





More information about the gnhlug-discuss mailing list