Debian – Checking System Integrity After Possible Rootkit

debianrootkit

I have a system that was possibly rootkited (the IRC bot was installed and +ai attributes were set on /usr/bin, /usr/sbin, /bin, /sbin). The IRC bots were deleted and system was upgraded to 5.0.4 from 4.0. I'm afraid that something in the folders I've mentioned was modified. I can't reinstall the box, so is there any way to check the integrity of the system? I have already checked rkhunter and chrootkit.

Best Answer

debsums, but it will only check files installed by packages, it can't tell you about extra files.

Related Solutions

Debian – How to check for modified config files on a Debian system

To find all Debian managed configuration files which have been changed from the default you can use a command like this.

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK/{print $1}'

Edit (works with localized systems):

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | LANG=C md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK/{print $1}' | sort | less

Edit (works with packages with OK in the filename):

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | LANG=C md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK$/{print $1}' | sort | less

Mysql – Can’t install MySQL

Try these:

sudo apt-get purge mysql-common mysql-server-5.1
sudo apt-get install mysql-server

Note that you don't need to purge mysql-server since it's just a meta-package (i.e. it's a convenience package containing just dependency info). Also, pay attention to the output of the purge option. It might display directories that aren't purged, and then you can remove those manually.

Best Answer

Related Solutions

Debian – How to check for modified config files on a Debian system

Mysql – Can’t install MySQL

Related Topic