Ping a Specific Port

Question

artvolk

Asked: 2010-03-19 22:45:36 +0800 CST2010-03-19 22:45:36 +0800 CST 2010-03-19 22:45:36 +0800 CST

Check integrity of Debian system after possible rootkit?

772

I have a system that was possibly rootkited (the IRC bot was installed and +ai attributes were set on /usr/bin, /usr/sbin, /bin, /sbin). The IRC bots were deleted and system was upgraded to 5.0.4 from 4.0. I'm afraid that something in the folders I've mentioned was modified. I can't reinstall the box, so is there any way to check the integrity of the system? I have already checked rkhunter and chrootkit.

6 Answers

Voted

ptman · Answer 1 · 2010-03-19T23:17:12+08:00

Best Answer

ptman

2010-03-19T23:17:12+08:002010-03-19T23:17:12+08:00

debsums, but it will only check files installed by packages, it can't tell you about extra files.

8

Marco Ramos · Answer 2 · 2010-05-07T01:46:53+08:00

When a system is compromised you're never sure if everything was cleaned and the best solution is always to reinstall the system, but you need to do some forensics to prevent that from happening again.

chkrootkit and rkhunter are good rootkit checkers but they're not infalible.

Also, run nmap from an outside machine and see if there's some port opened that you're not expecting.

debsums is also a good help when checking for compromised binaries.

And do you have any ideas how the hacker got access to the machine and which service was vulnerable? Focus especially there (but not only there). See if there are known issues with that software version. Check for every possible log you have in your filesystem. If you have a mrtg trending application (like ganglia, munin or cacti) check it for possible time frames of the attack.

You should also review your machine considering the following topics:

shut the services you don't need
test backup on a regular basis
follow the least privilege principle
have your services updated, especially regarding security updates
don't use default credentials

Victor Pablos Ceruelo · Answer 3 · 2010-05-07T00:57:02+08:00

Victor Pablos Ceruelo

2010-05-07T00:57:02+08:002010-05-07T00:57:02+08:00

What about using AIDE?

https://help.ubuntu.com/community/FileIntegrityAIDE

1

Razique · Answer 4 · 2010-05-07T01:47:44+08:00

Razique

2010-05-07T01:47:44+08:002010-05-07T01:47:44+08:00

under debian there is the awesome tool : chkrootkit

aptitude install chkrootkit :)

1

Odo Poppinger · Answer 5 · 2019-12-05T12:27:25+08:00

Odo Poppinger

2019-12-05T12:27:25+08:002019-12-05T12:27:25+08:00

There is an ideal tool invented for this kind of task: debcheckroot

It compares the sha256sum of each file and because of this it does not miss rootkits. Be aware that chkrootkit and rkhunter are known not to detect government malware from western intelligence agencies like the NSA. The results are also presented in a better, more readable format than debsums.

1

Elmar Stellnberger · Answer 6 · 2022-09-05T12:55:05+08:00

Elmar Stellnberger

2022-09-05T12:55:05+08:002022-09-05T12:55:05+08:00

There is one definitive tool you need to know: debcheckroot [1]. It was even used by the French ministery of defense (see Sylvain Sécherre, debian-security May 2022). The definitive advantage of that tool over say chkrootkit or rkhunter is that it can also spot yet unknown rootkits by comparing file sha256sums against pristine files on your install media or online repo. [https://www.elstel.org/debcheckroot/][1]

0

Check integrity of Debian system after possible rootkit?

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?