Check integrity of Debian system after possible rootkit?

I have a system that was possibly rootkited (the IRC bot was installed and +ai attributes were set on /usr/bin, /usr/sbin, /bin, /sbin). The IRC bots were deleted and system was upgraded to 5.0.4 from 4.0. I'm afraid that something in the folders I've mentioned was modified. I can't reinstall the box, so is there any way to check the integrity of the system? I have already checked rkhunter and chrootkit.


Solution 1:

debsums, but it will only check files installed by packages, it can't tell you about extra files.

Solution 2:

When a system is compromised you're never sure if everything was cleaned and the best solution is always to reinstall the system, but you need to do some forensics to prevent that from happening again.

chkrootkit and rkhunter are good rootkit checkers but they're not infalible.

Also, run nmap from an outside machine and see if there's some port opened that you're not expecting.

debsums is also a good help when checking for compromised binaries.

And do you have any ideas how the hacker got access to the machine and which service was vulnerable? Focus especially there (but not only there). See if there are known issues with that software version. Check for every possible log you have in your filesystem. If you have a mrtg trending application (like ganglia, munin or cacti) check it for possible time frames of the attack.

You should also review your machine considering the following topics:

  • shut the services you don't need

  • test backup on a regular basis

  • follow the least privilege principle

  • have your services updated, especially regarding security updates

  • don't use default credentials

Solution 3:

What about using AIDE?

https://help.ubuntu.com/community/FileIntegrityAIDE

Solution 4:

under debian there is the awesome tool : chkrootkit

aptitude install chkrootkit :)

Solution 5:

There is an ideal tool invented for this kind of task: debcheckroot

It compares the sha256sum of each file and because of this it does not miss rootkits. Be aware that chkrootkit and rkhunter are known not to detect government malware from western intelligence agencies like the NSA. The results are also presented in a better, more readable format than debsums.