Hi Craig, On Thu, Aug 30, 2001 at 09:34:51AM +0200, Craig wrote: > I need to know if there is any software for debian to > detect the presence of backdoors or rootkits. I suspect > that our old debian web server has been compromised. This is what I would do: - check running processes: compare 'ps ax' with process entries in /proc most rootkits hide processes via a patched ps but cannot do so with the procfs - check scripts in /etc/init.d for starting of any suspect daemons, check for scripts that are not debian-like and ones not written by you or any other admin - look for ordinary files in /dev (I had a directory named /dev/hda0 for example) or dotfiles like /lib/.moo/, directories with names normally used only for files (/usr/lib/libfoobar.so/) and directories with invisible names (spaces for example: /tmp/ /) - scan the machine for unusual open ports and use lsof to find out to which processes these ports belong, but be aware that lsof might be rooted - If can find running backdoors, look at their environment (/proc/<pid>/environ), you may find useful information like SSH_CLIENT - mount the harddisk in another machine so you can use tools that won't be overwritten by a root kit. - use debsums(1) to check files against the md5 sums stored in in /var/lib/dpkg/info/*.md5sums, but be aware that these files could be modified - backup your data and reinstall the machine. - maybe you need to hire a security expert for complete recovery ;-) HTH, Joerg -- \ Joerg Wendland \ systems / network administrator, ITSec, Scan Plus GmbH \ *joergland* \ Moerikestrasse 5, 89077 Ulm, Germany \ \ fon +49-731-92013-21, fax +49-731-6027146 \----------------\ PGP-key: finger joerg@morpheus.ulm.scan-plus.de \ key fingerprint: 79C0 7671 AFC7 315E 657A F318 57A3 7FBD 51CF 8417
Attachment:
pgpbgfustfsGL.pgp
Description: PGP signature