How to check when rootkit has been installed.

horizn · 01-12-2018, 02:53 PM

Hi,
Unfortunately someone left VM exposed to the internet with easy to guess ssh root password, and rootkit Linux/XOR.DDoS has been installed. I know, when attacker gained access to the server and what aws his IP address, but I'd like to know when rootkit has been installed. Is it possible?

hydrurga · 01-12-2018, 03:34 PM

Have a read of this - https://bartblaze.blogspot.co.uk/201...uxxorddos.html - and determine the files that the rootkit creates. Have a look for these and, unless the rootkit faked the dates or has touched them since, you should be able to see the date that it started its active infiltration.

jsbjsb001 · 01-12-2018, 04:32 PM

While I don't know if this particular rootkit will be picked up by the following command, it's a good command to have installed to check for rootkit's with. You will more likely than not need to install it, as it is not normally installed by default in most Linux distro's.

Code:

[root@localhost ~]# rkhunter 

Usage: rkhunter {--check | --unlock | --update | --versioncheck |
                 --propupd [{filename | directory | package name},...] |
                 --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |
                 --config-check | --version | --help} [options]

The link that hydrurga has given you looks like it's well worth a read.

Habitual · 01-13-2018, 10:12 AM

rkhunter after the fact? Dunno, as it would require a --propupd before it is effective?

Code:

clamscan -ir /path/to/scan/

should light up something.

Code:

grep aws_ip /var/log/* -R

for the time period.

Likely a reverse shell and clamscan finds a lot of those (when I had "one")

See https://aw-snap.info for interrogation techniques.

fatmac · 01-13-2018, 02:13 PM

Use a live forensic distro to check your system, such as Kali.
https://docs.kali.org/general-use/ka...forensics-mode

Trihexagonal · 01-23-2018, 12:31 PM

Quote:

Originally Posted by Habitual

rkhunter after the fact? Dunno, as it would require a --propupd before it is effective?

In addition to checking the status of files after running --propupd, rkhunter does a check of known and possible rootkit files and directories, malware checks, and in this case FreeBSD specific checks, as well as network ports if you enable nmap support.

Code:

Rootkit checks...
Rootkits checked : 477
Possible rootkits: 0

OpenBSD considers rkhunter a "gimmic" and it isn't even in their repository.

sundialsvcs · 01-23-2018, 07:09 PM

Most-importantly, "see to it that rootkits can't be installed in the first place."

Practice the "principle of least privilege." Jealously guard all user-ids which are capable of attaining root privileges and do not use these accounts ... nearly all of the time. No one can "just stumble-upon your system" and "decide to install a rootkit on it."

sfzombie13 · 02-04-2018, 07:58 PM

Quote:

Originally Posted by sundialsvcs

Most-importantly, "see to it that rootkits can't be installed in the first place."

... No one can "just stumble-upon your system" and "decide to install a rootkit on it."

While the first part of your comment is right on, the last part is most certainly not true. I stumble upon systems with full access on the open internet all the time. of course, i don't go around installing root kits, but i could if i wanted to.