[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suspect Web Server has been hacked :(



Hi Craig,

On Thu, Aug 30, 2001 at 09:34:51AM +0200, Craig wrote:
> I need to know if there is any software for debian to
> detect the presence of backdoors or rootkits. I suspect
> that our old debian web server has been compromised.

This is what I would do:

- check running processes: compare 'ps ax' with process entries in /proc
  most rootkits hide processes via a patched ps but cannot do so with the
  procfs

- check scripts in /etc/init.d for starting of any suspect daemons, check
  for scripts that are not debian-like and ones not written by you or any
  other admin

- look for ordinary files in /dev (I had a directory named /dev/hda0 for
  example) or dotfiles like /lib/.moo/, directories with names normally used
  only for files (/usr/lib/libfoobar.so/) and directories with invisible
  names (spaces for example: /tmp/   /)

- scan the machine for unusual open ports and use lsof to find out to
  which processes these ports belong, but be aware that lsof might be
  rooted

- If can find running backdoors, look at their environment 
  (/proc/<pid>/environ), you may find useful information like SSH_CLIENT

- mount the harddisk in another machine so you can use tools that won't
  be overwritten by a root kit.

- use debsums(1) to check files against the md5 sums stored in in
  /var/lib/dpkg/info/*.md5sums, but be aware that these files could be
  modified

- backup your data and reinstall the machine.

- maybe you need to hire a security expert for complete recovery ;-)

HTH, Joerg

-- 
  \ Joerg Wendland \ systems / network administrator, ITSec, Scan Plus GmbH
   \  *joergland*   \ Moerikestrasse 5, 89077 Ulm, Germany
    \                \ fon +49-731-92013-21, fax +49-731-6027146
     \----------------\ PGP-key: finger joerg@morpheus.ulm.scan-plus.de
      \ key fingerprint: 79C0 7671 AFC7 315E 657A  F318 57A3 7FBD 51CF 8417

Attachment: pgptR3UA6RyH2.pgp
Description: PGP signature


Reply to: