LinuxQuestions.org - How to check when rootkit has been installed.

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - How to check when rootkit has been installed. (https://www.linuxquestions.org/questions/linux-security-4/how-to-check-when-rootkit-has-been-installed-4175621511/)

horizn

01-12-2018 02:53 PM

How to check when rootkit has been installed.

Hi,
Unfortunately someone left VM exposed to the internet with easy to guess ssh root password, and rootkit Linux/XOR.DDoS has been installed. I know, when attacker gained access to the server and what aws his IP address, but I'd like to know when rootkit has been installed. Is it possible?

hydrurga

01-12-2018 03:34 PM

Have a read of this - https://bartblaze.blogspot.co.uk/201...uxxorddos.html - and determine the files that the rootkit creates. Have a look for these and, unless the rootkit faked the dates or has touched them since, you should be able to see the date that it started its active infiltration.

jsbjsb001

01-12-2018 04:32 PM

While I don't know if this particular rootkit will be picked up by the following command, it's a good command to have installed to check for rootkit's with. You will more likely than not need to install it, as it is not normally installed by default in most Linux distro's.

Code:

[root@localhost ~]# rkhunter 



Usage: rkhunter {--check | --unlock | --update | --versioncheck |

                --propupd [{filename | directory | package name},...] |

                --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |

                --config-check | --version | --help} [options]

The link that hydrurga has given you looks like it's well worth a read.

Habitual

01-13-2018 10:12 AM

rkhunter after the fact? Dunno, as it would require a --propupd before it is effective?

Code:

clamscan -ir /path/to/scan/

should light up something.

Code:

grep aws_ip /var/log/* -R

for the time period.

Likely a reverse shell and clamscan finds a lot of those (when I had "one")

See https://aw-snap.info for interrogation techniques.

fatmac

01-13-2018 02:13 PM

Use a live forensic distro to check your system, such as Kali.
https://docs.kali.org/general-use/ka...forensics-mode

Trihexagonal

01-23-2018 12:31 PM

Quote:

Originally Posted by Habitual (Post 5805953)

rkhunter after the fact? Dunno, as it would require a --propupd before it is effective?

In addition to checking the status of files after running --propupd, rkhunter does a check of known and possible rootkit files and directories, malware checks, and in this case FreeBSD specific checks, as well as network ports if you enable nmap support.

Code:

Rootkit checks...

Rootkits checked : 477

Possible rootkits: 0

OpenBSD considers rkhunter a "gimmic" and it isn't even in their repository.

sundialsvcs

01-23-2018 07:09 PM

Most-importantly, "see to it that rootkits can't be installed in the first place." :tisk:

Practice the "principle of least privilege." Jealously guard all user-ids which are capable of attaining root privileges and do not use these accounts ... nearly all of the time. No one can "just stumble-upon your system" and "decide to install a rootkit on it."

sfzombie13

02-04-2018 07:58 PM

Quote:

Originally Posted by sundialsvcs (Post 5810630)

Most-importantly, "see to it that rootkits can't be installed in the first place."

... No one can "just stumble-upon your system" and "decide to install a rootkit on it."

While the first part of your comment is right on, the last part is most certainly not true. I stumble upon systems with full access on the open internet all the time. of course, i don't go around installing root kits, but i could if i wanted to.

All times are GMT -5. The time now is 11:29 AM.