Re: Suspect Web Server has been hacked :(
On Thu, Aug 30, 2001 at 10:11:42AM +0200, Joerg Wendland wrote:
> Hi Craig,
>
> On Thu, Aug 30, 2001 at 09:34:51AM +0200, Craig wrote:
> > I need to know if there is any software for debian to
> > detect the presence of backdoors or rootkits. I suspect
> > that our old debian web server has been compromised.
>
> This is what I would do:
>
> - check running processes: compare 'ps ax' with process
> entries in /proc most rootkits hide processes via a patched
> ps but cannot do so with the procfs
Unless they've installed a kernel module that messes around with
procfs or something.
[snip]
> - scan the machine for unusual open ports and use lsof to find
> out to which processes these ports belong, but be aware that
> lsof might be rooted
You could also compare the output of netstat -tuln with a
portscan of the machine to see if they agree.
[snip]
> - backup your data and reinstall the machine.
And don't backup any possibly trojaned binaries :)
--
Michael Wood
<mwood@its.uct.ac.za>
Reply to: