[WBEL-users] ROOTKIT checking software
Kirby C. Bohling
kbohling@birddog.com
Thu, 11 Nov 2004 10:36:05 -0600
On Thu, Nov 11, 2004 at 10:53:55AM -0000, Denis Croombs wrote:
> I have just taken over admin for approx 20 Linux systems (RH9.0) and need
> to check that they have not been rootkit'd (for my own piece of mind)
> anybody had experience of good toolkits for finding out of a system has
> been compromised ?
>
It's not exactly what you asked for. However, this might be useful
to you. I've used the techniques described below to check out
machines I just took over. Sorry if this all obvious to you. I
sure wish somebody had pointed it out to me earlier in my admin
experience.
> That is before I prepare a plan to change them to Whitebox over the coming
> weeks/months.
If you have a known copy of the RPM database, you can use commands
like this (or you can probably build one with the original packages
if use the --justdb option and change the rpmdb path, you can build
a RPM db for the packages you believe should be installed on the
machine):
Boot off a known clean disk image, mount the disks you want to
check:
$ for foo in `rpm -q -a` ; do rpm -V --nomd5 $foo ; done
$ find / -type f \! -exec rpm --quiet -q -f {} \; -print
You'll need to modify them to --root and use the --redhatprovides
to do the job. You'll probably want to remove the --nomd5 from the
options also to be more secure.
I've used the two above commands to find absolutely every file on a
machine that isn't the same as what came out of an RPM. I trusted
the RPM database on the machine. If you don't, you'll have to do
like I said and add the --root and --redhatprovides options for RPM.
It's a poor mans way of running/simulating tripwire after the fact.
The one serious issue with this is that you might have to replace
the initrd images on /boot to be absolutely sure everything is
clean (I believe those are built by a script, not installed from the
RPM, thus I don't believe they are in the database, if they are you
shouldn't trust them anyways, they are good place for a rootkit to
attack to get access to the machine early in the boot cycle).
As long as I'm making the list, this is a good command to see what
packages have been updated/installed since the machine was installed:
rpm -q -a --queryformat "%{INSTALLTIME:date} %{NAME}\n"
Load that into a spreadsheet and sort by the date. There should be
a fairly obvious break in the times, that's probably the last
package that got installed on the original install.
In the end, when I take over a box, I've found these to be useful to
find everything on the machine that isn't stock. It's a quick and
relatively painless way to find out what sorts of things I need to
look out for.
Thanks,
Kirby