Hi Craig,
On Thu, Aug 30, 2001 at 09:34:51AM +0200, Craig wrote:
> I need to know if there is any software for debian to
> detect the presence of backdoors or rootkits. I suspect
> that our old debian web server has been compromised.
This is what I would do:
- check running processes: compare 'ps ax' with process entries in /proc
most rootkits hide processes via a patched ps but cannot do so with the
procfs
- check scripts in /etc/init.d for starting of any suspect daemons, check
for scripts that are not debian-like and ones not written by you or any
other admin
- look for ordinary files in /dev (I had a directory named /dev/hda0 for
example) or dotfiles like /lib/.moo/, directories with names normally used
only for files (/usr/lib/libfoobar.so/) and directories with invisible
names (spaces for example: /tmp/ /)
- scan the machine for unusual open ports and use lsof to find out to
which processes these ports belong, but be aware that lsof might be
rooted
- If can find running backdoors, look at their environment
(/proc/<pid>/environ), you may find useful information like SSH_CLIENT
- mount the harddisk in another machine so you can use tools that won't
be overwritten by a root kit.
- use debsums(1) to check files against the md5 sums stored in in
/var/lib/dpkg/info/*.md5sums, but be aware that these files could be
modified
- backup your data and reinstall the machine.
- maybe you need to hire a security expert for complete recovery ;-)
HTH, Joerg
--
\ Joerg Wendland \ systems / network administrator, ITSec, Scan Plus GmbH
\ *joergland* \ Moerikestrasse 5, 89077 Ulm, Germany
\ \ fon +49-731-92013-21, fax +49-731-6027146
\----------------\ PGP-key: finger joerg@morpheus.ulm.scan-plus.de
\ key fingerprint: 79C0 7671 AFC7 315E 657A F318 57A3 7FBD 51CF 8417
Attachment:
pgpbgfustfsGL.pgp
Description: PGP signature