[WBEL-users] ROOTKIT checking software

Kirby C. Bohling kbohling@birddog.com
Thu, 11 Nov 2004 10:36:05 -0600 

On Thu, Nov 11, 2004 at 10:53:55AM -0000, Denis Croombs wrote:
> I have just taken over admin for approx 20 Linux systems (RH9.0) and need 
> to check that they have not been rootkit'd (for my own piece of mind) 
> anybody had experience of good toolkits for finding out of a system has 
> been compromised ?
> 

It's not exactly what you asked for.  However, this might be useful
to you.  I've used the techniques described below to check out
machines I just took over.  Sorry if this all obvious to you.  I
sure wish somebody had pointed it out to me earlier in my admin
experience.

> That is before I prepare a plan to change them to Whitebox over the coming 
> weeks/months.


If you have a known copy of the RPM database, you can use commands
like this (or you can probably build one with the original packages
if use the --justdb option and change the rpmdb path, you can build
a RPM db for the packages you believe should be installed on the
machine):

Boot off a known clean disk image, mount the disks you want to
check:

$ for foo in `rpm -q -a` ; do rpm -V --nomd5 $foo ; done

$ find / -type f \! -exec rpm --quiet -q -f {} \; -print

You'll need to modify them to --root and use the --redhatprovides
to do the job.  You'll probably want to remove the --nomd5 from the
options also to be more secure.

I've used the two above commands to find absolutely every file on a
machine that isn't the same as what came out of an RPM.  I trusted
the RPM database on the machine.  If you don't, you'll have to do
like I said and add the --root and --redhatprovides options for RPM.

It's a poor mans way of running/simulating tripwire after the fact.
The one serious issue with this is that you might have to replace
the initrd images on /boot to be absolutely sure everything is
clean (I believe those are built by a script, not installed from the
RPM, thus I don't believe they are in the database, if they are you
shouldn't trust them anyways, they are good place for a rootkit to
attack to get access to the machine early in the boot cycle).

As long as I'm making the list, this is a good command to see what
packages have been updated/installed since the machine was installed:

rpm -q -a --queryformat "%{INSTALLTIME:date} %{NAME}\n"

Load that into a spreadsheet and sort by the date.  There should be
a fairly obvious break in the times, that's probably the last
package that got installed on the original install.

In the end, when I take over a box, I've found these to be useful to
find everything on the machine that isn't stock.  It's a quick and
relatively painless way to find out what sorts of things I need to
look out for.

	Thanks,
		Kirby