Is my box owned?

I operate a Linux machine connected to the internet. I haven’t upgraded it recently; almost certainly one or more of the software packages installed has a known vulnerability or two. How can I know if the box has been owned or not?

I could install something like rkhunter, to look for rootkits. But it would be pretty easy to write a rootkit that categorically dodges rkhunter, by having it replace rkhunter by something that looks exactly like rkhunter except doesn’t report our rootkit. At its simplest, it could poll the default install locations for executables named ‘rkhunter’ and replace them. Or it could do something more sophisticated based on looking for particular properties of the executable, or replacing apt-get and wget by things that claim to install or download rkhunter but don’t, etc. So we can’t trust rkhunter.

I could check if certain executables have been modified by checking their md5sums. But it would be similarly trivial to replace the md5sum program by something that pretends to md5sum the thing but actually just checks if you’re md5summing something the rootkit has modified, and returning the legit md5sum instead of the true md5sum. So we can’t trust md5sum.

We could copy the executables to a different machine and try md5summing them there—but the same argument applies to all file-transferring techniques. The rootkit could replace sshd.

If you’re running on EC2 with an EBS-backed instance, it’s pretty easy to mount the maybe-comprimised machine’s storage into a different, known-good machine and use those tools to inspect the system. Though it’s theoretically possible that the rootkit replaced the file system in such a way that all its sneaky modifications are invisible to normal ext4 tools (by e.g. hiding them in the free-blocks).

(Also, your “known-good” tools may be KTH’d. There is no such thing as computer security, only massive inconvenience to the attacker.)

How likely is it that a rootkit would go to the effort of hiding itself this way? I’m not sure. Some of these tricks seem relatively easy to pull. If I were writing a rootkit today, I would definitely write code to dodge rkhunter running on the compromised machine. It seems like more effort than it’s worth to try to dodge the “unmount the drive and inspect it with known-uncompromised* tools” inspection, though. Much easier to rely on scale of infection and laziness of sysadmins. So that’s probably a pretty reliable technique for detecting rootkits.

Probably I’ll just run apt-get upgrade and call it a day.

Show Comments