Home > linux, Security > Rootkits to identify exploits on your Linux system

Rootkits to identify exploits on your Linux system

November 16th, 2010 Leave a comment Go to comments

Recently one of my servers was hacked and my first reaction was to freak out and panic.  After I calmed myself down, I immediately stopped the front door the attackers had gotten to the server by shutting down the apache server.

After that, I had no idea where to start looking for backdoors that maybe installed on the system.  So i downloaded highly recommended rootkits for exactly these types of situations.  The following rootkits helped me identify the issues on my system and figure out what to do.

  1. Rootkit Hunter – scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like ‘skdet’ and ‘unhide’. It should run on almost every Unix clone.
  2. chkrootkit – a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write.
  3. OSSEC HIDS – a host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting, and active response.
  4. Zeppoo – allows you to detect rootkits on the i386 architecture under Linux by using /dev/kmem and /dev/mem. It can also detect hidden tasks, modules, syscalls, some corrupted symbols, and hidden connections. Anti-Rootkits which don’t use these methods can be fooled easily.
  5. Rkdet – a small daemon intended to catch someone installing a rootkit or running a packet sniffer. It takes a snapshot of processes and network connections, then disconnects from the network. It may be built to watch arbitrary files such as Web pages.
Categories: linux, Security Tags: ,
  1. Oli Warner
    November 16th, 2010 at 13:13 | #1
    Reply | Quote

    What was the problem?

    • madiga
      November 16th, 2010 at 21:06 | #2
      Reply | Quote

      The rootkits could not find anything obviously wrong on the system. The thing is, I caught the breech probably within an hour that it had taken place and disabled perl all together as it was using perl cgi scripts over httpd. After that, I upgraded perl and I haven’t seen those morons back on the server.

  2. Larry
    November 16th, 2010 at 13:59 | #3
    Reply | Quote

    Thanks for the information, I am beginning to take security a lot more seriously these days. Any of those got a GUI, by any chance?

  3. Debianero
    November 16th, 2010 at 15:44 | #4
    Reply | Quote

    Once a server is compromised, best thing is to unplug the server (as you did), mirror the whole hard disk for later intrusion analysis (if you install something in a compromised server, you’re messing everything) and reinstall everything.

    Some tips:

    http://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html

  1. November 17th, 2010 at 20:33 | #1
    links for 2010-11-17 « Where Is All This Leading To?
  2. November 25th, 2011 at 14:35 | #2
    Identify rootkits with these apps « 0ddn1x: tricks with *nix