Scan for Root Kits
Use chkrootkit to determine the extent of a compromise.
If you suspect that you have a compromised
system, it is a good idea to check for root kits that the intruder
may have installed. In short, a root
kit is a collection of programs that intruders often install after
they have compromised the root account of a system. These programs will help the intruders clean
up their tracks, as well as provide access back into the
system. Because of this, root kits
will sometimes leave processes running so that the intruder can come
back easily and without the system administrator’s
knowledge. This means that some of
the system’s binaries (like
ps
, ls
, and
netstat)
will need to be modified by the root kit
in order to not give away the
backdoor processes that the
intruder has put in place.
Unfortunately, there are so many different root kits that
it would be far too time-consuming to learn the intricacies of each
one and look for them manually.
Scripts like chkrootkit
(http://www.chkrootkit.org) will
do the job for you automatically.
In addition to detecting over 50 different root kits,
chkrootkit
will also detect network interfaces
that are in promiscuous mode, altered
lastlog
files, and
altered wtmp
files. These files contain times and
dates of when users have logged on and off the system, so if they
have been altered, this is evidence of an intruder. In addition, chkrootkit
will perform tests in order to detect
kernel module-based root kits. C programs that are called ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.