[lug] R00tKIT!! Raah!

Bear Giles bgiles at coyotesong.com
Tue Jun 14 20:42:04 MDT 2005

David Anselmi wrote:
> I wouldn't trust cleaning the system unless I had a way to verify all 
> the files on it.  Most of those came from packages, so if you can 
> compare checksums between your files and those from the official 
> packages (using only programs you've already verified) you might be good.

I wouldn't trust checksums since an undetected rootkit may still 
change the results.  But I don't think it's hard to reinstall 
packages.  E.g., in Debian it's

   # apt-get install --reinstall procps

to reinstall procps.  The paranoid would run # apt-get clean first 
and hardcode the ip addresses in /etc/apt/sources.list for the 
duration.  You could get a list of every installed package with 
dpkg -l.  Just leave the config files as they were.  (Although you 
might want to eyeball them anyway.)

That's still not 100% reliable against a good rootkit, but as I 
mentioned earlier it's always a matter of balancing the pain.

> nor would it be easy to verify all the non-package files you 
> have.  So in the end I think rebuilding is a better choice (less time 
> for a reasonable degree of certainty you're clean).

Reinstalling third party software might be a serious problem.  We 
have such a package, and it required several days of on-site 
support to get it working.  We have backups, of course, but the 
original software requires serious support and that product went 
"Windows only" many years ago.  The Unix version is no longer 
supported.  In fact that's the main reason why we decided to risk 
an attempt to scrub the system.

More information about the LUG mailing list