How to check if a Linux server is clean from rootkits/backdoors/botnets etc.?
In case a Linux server was exposed to the internet with extreme low security policy (r/w anonymous Samba folders, Firebird database server with default admin password, no firewall, etc.) for a week, then how do I make sure the system is not compromised without full formatting&reinstalling, accessing it only remotely via SSH?
Normally I'd suggest a local check with a tool such as chkrootkit but if the only way to run the check is to do so remotely, then I would recommend that you try Rootkit Hunter instead.
Rookit Hunter checks for rootkits and other such activity by running tests such as the following (see Project Information for more details):
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
I want to add that as others have said, the only sure way to ensure there has been no tampering with your service is to rebuild it. These tools work well, but they are not a 100% guarantee of success.
OSSEC checks for rootkits and detects suspicious activity.
I know this answer isn't what you want to hear but here we go anyways. There are some tools that can check the system the best way to ensure the system is clean is to wipe the server and rebuild. I would do the following:
- Remove the computer from the internet
- Backup Data and Config information to remove devices
- Format Storage
- Reinstall Base/Standard Setup/Updates
- Reconfigure Server using old data as reference
- Restore user data
Here are some resources I would start reading if you haven't already.
[link text][1] link text link text link text
[1]: http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901"Linux Rootkits Beginners"