[kwlug-disc] server compromised

john at netdirect.ca john at netdirect.ca
Thu May 14 10:04:22 EDT 2009

kwlug-disc-bounces at kwlug.org wrote on 05/14/2009 09:24:05 AM:
> Have you ever heard of a rootkit which installs a modified rpm that 
> would return a false positive verification of packages it had changed? 
> I think that some viruses on Windows will hamstring antivirus software 
> if they can get around it in the first place, making detection much more 

> difficult.  It seems like a logical move to try something similar with 
> package verification.

So far "they" haven't caught up to that, but it is a concern. Rootkits to 
date haven't been to smart. I can see how someone might suspect that they 

Smarter rootkits verify the root kit installation when running each 
binary. RPM packages may have pre-scripts and post-scripts that are run 
before of after installing files. If a script uses an infected binary 
re-installing a package may result in re-infection. 

Another trick is to set ext2 immutable attributes on the rootkit binaries 
(man lsattr to learn about ext2 attributes). RPM can't replace these files 
but also doesn't produce an error. In either of these cases re-installing 
an RPM may not result in removing the root kit. This can certainly give 
someone the impression RPM has been hacked too.

The fix is to check for and reset immutable bits (lsattr, chattr), use the 
--noscripts option when re-installing RPMs and avoid the use of hacked 
tools. Use "echo *" as a simple replacement for ls. Look in /proc instead 
of using ps. Use "cat /proc/net/sockstat" instead of netstat (and learn to 
read hex.)

Here is a quick way to see if a system has a root kit. It will be quite 
accurate on positives, and reasonably accurate on negatives for a quick 

lsattr /bin/* /usr/bin/* | egrep -v -- -{15}            # find all files 
that have ext extended attributes
rpm -V coreutils net-tools procps util-linux util-linux-ng      # ls, 
netstat, ps, top, etc.
rpm -V openssh-server openssh-clients           # commonly hacked for ssh 

Once you've verified that the tools are good we can use them for other 
checks. Some hacks don't use root kits, they just install a daemon like an 
IRC bot or a back door and try to hide it using a normal name like "init", 
"cron" or "httpd".

netstat -a                                      # look for odd connections 
and listening ports
find /dev -type f                               # find all normal files in 
/dev, Hacks often put files here
ps -ef | grep init                              # There should be only one
ps -ef | grep cron                              # again only one
ps -ef | grep httpd                     # There may be lots, but only one 
with PPID of 1
ls -l /tmp /var/tmp                     # Look for odd files owned by 
apache user.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20090514/aaefdc87/attachment-0003.html>

More information about the kwlug-disc mailing list