[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question from a newbie regarding possible trojan


On Tue, 17 Sep 2002, Claudio Martins wrote:

>   You can check the date and size of some files like /bin/ps /bin/netstat to
> see if they have timestamps consistent with the other files on the same
> directories and check that their size is not too small or too big. A normal
> ps should have around 60kB and netstat around 86kB. If you see big
> differences, suspect that your machine has been compromised and some kind of
> rootkit may have been installed.

Doing this is not the best way. The changes by the rootkit could change
the shared libraries that these files use instead, or replace the programs
with some of identical size and date that simply link to the trojaned
versions (eg. /somewhere/.realps etc.)

Instead I recommend something like the following:

I used Red Hat several years ago and their package system RPM has a handy
option that lets you scan all installed files to see if they have been
modified from the original installation.

There is a similar tool for Debian, it is called debsums and is
unfortunately not installed by default (it could be problematic to have to
install it after a compromise has been identified, since you might want to
isolate the machine from the network during the investigation). So I
suggest you install this right away.

Anyway, to use it simply run "debsums" and pipe the output somewhere
useful. It will check the MD5 sums of each file installed by the Debian
package management system and report OK or FAILED for each. If you have
any FAILED, they are either configuration files that you (or a program)
have edited locally, or have been tampered with by an attacker (or
filesystem error, etc).

If you suspect a certain package has changed and do not want to change the
entire system you can specify just that package, eg. "debsums ssh" or
"debsums fileutils".

A good idea would be to run debsums nightly in a cron job, emailing you a
diff of the changes since last night (preferably to an account on an
unrelated host).

If you want to check a specific file and do not know which package it is
owned by, do a "dpkg -S filename", for example to check if netstat has
been tampered with:

$ dpkg -S /bin/netstat
net-tools: /bin/netstat

$ debsums net-tools

Hope this was useful. Remember that auditing the integrity of the system
files is only a small part of securing your system, but it is an important


Thomas Horsten

Reply to: