Detecting root kits?
Chris Brenton
cbrenton at chrisbrenton.org
Mon Jun 23 11:56:24 EDT 2003
On Mon, 2003-06-23 at 10:03, Ben Boulanger wrote:
>
>Also, a useful command is RPM -Va. The output is documented in man rpm,
>but it checks all of the files from RPMs for changes. You could also make
>this quicker by targetting things like passwd or util-linux.
This is an *excellent* trick and something Lance and I used to use on
the Honeynet before there was corporate sponsors. ;-)
Do something like:
rpm -Va > /root/suspect-files.txt &
tail -f /root/suspect-files.txt
and carefully check any files that get flagged. Anything _not_ listed
has _not_ been changed. For the stuff that has changed, you should see
something like this:
S.5....T /bin/some_file
This tells you the file size, MD5 and time stamp has changed. to fix it,
a simple:
rpm -qf /bin/some_file
foo-1.0.0
rpm -Uv --force foo-1.0.0.rpm
of the original RPM should get you back to where you started. Note this
will not remove additional rootkit files the purp put on the machine.
Also note this does not fix how they broke in so there is noting to stop
them from coming back. Make sure you are patched and locked down.
Now for the caveats, this database gets saved in /var/lib/rpm and can
easily be changed with root level access. However, in all my time with
SANS, handler on incidents.org, Honeynet, etc. etc. I have yet to see a
purp tweak the database on the way in so the above will not catch them.
So today this is still pretty effective for detecting changes. In the
future, the blackhats may catch on.
HTH,
C
More information about the gnhlug-discuss
mailing list