How to check when rootkit has been installed.
Hi,
Unfortunately someone left VM exposed to the internet with easy to guess ssh root password, and rootkit Linux/XOR.DDoS has been installed. I know, when attacker gained access to the server and what aws his IP address, but I'd like to know when rootkit has been installed. Is it possible? |
Have a read of this - https://bartblaze.blogspot.co.uk/201...uxxorddos.html - and determine the files that the rootkit creates. Have a look for these and, unless the rootkit faked the dates or has touched them since, you should be able to see the date that it started its active infiltration.
|
While I don't know if this particular rootkit will be picked up by the following command, it's a good command to have installed to check for rootkit's with. You will more likely than not need to install it, as it is not normally installed by default in most Linux distro's.
Code:
[root@localhost ~]# rkhunter |
rkhunter after the fact? Dunno, as it would require a --propupd before it is effective?
Code:
clamscan -ir /path/to/scan/ Code:
grep aws_ip /var/log/* -R Likely a reverse shell and clamscan finds a lot of those (when I had "one") See https://aw-snap.info for interrogation techniques. |
Use a live forensic distro to check your system, such as Kali.
https://docs.kali.org/general-use/ka...forensics-mode |
Quote:
Code:
Rootkit checks... |
Most-importantly, "see to it that rootkits can't be installed in the first place." :tisk:
Practice the "principle of least privilege." Jealously guard all user-ids which are capable of attaining root privileges and do not use these accounts ... nearly all of the time. No one can "just stumble-upon your system" and "decide to install a rootkit on it." |
Quote:
|
All times are GMT -5. The time now is 11:29 AM. |