Last night one of the servers at work began to act a little wonky and sent me some email to let me know it was not feeling well.
I logged in and quickly discovered that some social misfit was trying to hack the box. I tracked down a perl script they managed to get downloaded to the server via a hole in a “Contact Us” form on one of the websites we host. The script did not execute correctly, and I could not find any evidence that the machine had been compromised.
Before this happened, I had already taken the following preventative steps:
1) This server sits behind a firewall that only lets very specific traffic through
2) I set up my hosts.deny to only allow connections to the server on some services from hosts I directly control (ssh, for example only allows connections from other machines in the office and my home)
3) Remote logging – all the logs from this server are remotely logged to other servers in the office, so attempts to clean up after oneself will not erase the full trail, unless you can compromise the remote logging machines as well.
So, I was not terribly worried that I’d been rooted, but the script that was executed does try to install a rootkit, so I thought I’d better have a look at ways to detect rootkit installs. I found 2: chkrootkit and rkhunter.
You can google for both if you want to learn more – the long and short of it is that they both do more or less the same thing, but use different approaches. (they check for modified files, hidden directories, odd filesystem stuff, incorrect versions of things, known rootkit files / scripts, etc)
Since I run Ubuntu on our servers at work, installing both was as simple as:
$ apt-get install chkrootkit rkhunter
and then running each with:
$ rkhunter -c
Both spit out a ton of useful information, and provide lots of details about what they are doing.
Neither found evidence of any rootkits on any of our servers. *whew*
Now, back to my regularly scheduled program.