Hello,
I have been tasked with checking some Solaris servers to see if root kits had been installed. I am told there are utilites to that. Has anyone heard of such a thing and know where I can find it?
Printable View
Hello,
I have been tasked with checking some Solaris servers to see if root kits had been installed. I am told there are utilites to that. Has anyone heard of such a thing and know where I can find it?
damn.....
ok, lets try again...
http://www.google.com/search?hl=en&l...=Google+Search
First 5 of 4660 resluts...
chkrootkit
rootkit detector
anti-rootkit
check rootkit
rootkit-check
Interesting point, if you dont know what a root kit is, why are you being tasked to check for it? and why do you want to find one?
I can understand if you want to learn how one works.... just wondering. no offense, but it sounds a little strange that you get tasked to "find them on some solaris servers", dont know what they are, and in the same breath want to find one....*shrug*
I should have explained myself a little better. I am looking for your opinions as to the best one. I had searched google and found many, but to save time and get this accomplished quickly I wanted the best one. I am new to sys admin duties and it was suggested that one or all of our servers could possibly be owned and being used to attack others. I just learned the term "root kit" the other day. So yes, i do want to find out how they work, how someone could have got one installed on our servers, if at all and how detect and clean them from my systems. I am unix literate to a small degree but still learning all I can.
That is why I posted in the Newbie section.
Thanks for your help.
The best one? No idea. I use tripwire to make sure that nothing gets a rootkit installed. If one does get installed, I know about it immediately, and take down the server....
A root kit installs a back door on your system, and modifies some of the programs, so that when you log in on the backdoor, you are completely undected (who doesn't work, no logs, etc etc.) To install one, someone has to take over root.
BEST thing is to start with known clean box then install Tripwire to check for altered files :).Quote:
Originally posted here by souleman
The best one? No idea. I use tripwire to make sure that nothing gets a rootkit installed. If one does get installed, I know about it immediately, and take down the server....
A root kit installs a back door on your system, and modifies some of the programs, so that when you log in on the backdoor, you are completely undected (who doesn't work, no logs, etc etc.) To install one, someone has to take over root.
Great idea going forward and once I rebuild these boxes I will do that. However, right now I need to verify if any of these servers have been compromised so I know what info may be compromised.
Thanks for everyone's help
tripwire, huh? I have to start playin with *nix. :)
it sounds so much better than windows.
It would have been much better to explain this earlier, in words, rather than just coming out and tersely asking for a way to check for rootkits. More information up front tends to get more useful information later, here.Quote:
Originally posted here by bxrluvr
I should have explained myself a little better. I am looking for your opinions as to the best one. I had searched google and found many, but to save time and get this accomplished quickly I wanted the best one. I am new to sys admin duties and it was suggested that one or all of our servers could possibly be owned and being used to attack others. I just learned the term "root kit" the other day. So yes, i do want to find out how they work, how someone could have got one installed on our servers, if at all and how detect and clean them from my systems. I am unix literate to a small degree but still learning all I can.
That is why I posted in the Newbie section.
Thanks for your help.
Unfortunately, I must echo what others have already said... a known-good machine (ie. fresh install FREE from any networks) coupled with a Tripwire instance is your best bet.
Oh my, avenger_jcc. You mean you've never tried *nix?Quote:
tripwire, huh? I have to start playin with *nix.
it sounds so much better than windows.
Not even once?
*shudder* I'm sorry...I had no idea. Please accept my deepest condolences, and a gift for your suffering:
http://www.linuxiso.org/ :D
All your friends are doing it.
As part of my job, I've done a fair amount of work on detecting rootkits, though I've mainly been working with detecting the kernel module rootkits. But as far as normal rootkits go, everyone has had lots of good things to say about chkrootkit, so that's probably your best bet. I hope you're good with C, because some (most?) of these programs take some tweaking to get them to work right with more modern kernels. Good luck.
Thanks for your answer str34m3r.
How do you expect us to figure out if there is a rootkit installed?
Paste some of the strange log entries you've been having or strange activities. There are many rootkits with many differences.
Who said anything about you figuring out if a rootkit is installed? I asked what the best utility for seeing if one is installed and where to find it. I found many sites with programs to find them. I wanted opions as to what is the best and a secure place to find it. I am a long way off from being any kind of a security expert, but downloading programs and scripts from a Geocities website and running them as root on my servers does not seem like a smart idea.
If you are having to detect a rootkit after the fact, without tripwire installed, you have pretty much already lost. The entire idea of a rootkit is too seamlessly blend into the underlying OS and to hide itself from detection. Since you don't have tripwire installed, I would recommend building a new copy of what you have trying to match it as closely as possible and then comparing the differences in file sizes, dates of creation, processes running, etc.
There are some helpful tools at : http://www.incident-response.org/unix.html
But be mindful, just because you have run tools and they didn't find anything does not mean that you have not had a rootkit installed. It is still possible one is installed, it is just very good at hiding itself (through kernel mods, etc).
Neb