How To Check If Your Server Is Infected With The Linux/Rst-B Backdoor (Debian Etch)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2008-02-19 12:06. :: Debian | Security

How To Check If Your Server Is Infected With The Linux/Rst-B Backdoor (Debian Etch)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 02/15/2008

Linux Rst-B is a backdoor that can be used to add your server to botnets (see http://www.heise.de/newsticker/meldung/103563 (in German)). This short guide explains how you can install and use the Sophos Linux/RST-B detection tool to check your Debian Etch server and find out if it is infected with Linux Rst-B.

I do not issue any guarantee that this will work for you!

 

1 Download And Install The Sophos Linux/RST-B Detection Tool

I want to install the Linux/RST-B detection tool in the /usr/local/sbin directory (so that the detection tool is in our PATH later on):

cd /usr/local/sbin
wget http://www.sophos.com/support/cleaners/detection_tool.tar.gz
tar xvfz detection_tool.tar.gz

You should then find the contents of the tar.gz file in the /usr/local/sbin/detection_tool directory.

There are two ways of installing the detection tool: you can either use the pre-compiled binary that you can find in the /usr/local/sbin/detection_tool/pre-compiled directory, or you compile it yourself. I'll show both ways now.

 

1.1 Use The Pre-Compiled Binary

To use the pre-compiled binary, we can either simply create a symlink called rst_detection_tool from the /usr/local/sbin directory to detection_tool/pre-compiled/detection_tool:

cd /usr/local/sbin
ln -s detection_tool/pre-compiled/detection_tool rst_detection_tool

Or we move detection_tool/pre-compiled/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/pre-compiled/detection_tool rst_detection_tool

 

1.2 Build The Detection Tool From The Sources

To compile the detection tool from the sources, we first install the package build-essential:

apt-get install build-essential

Afterwards we build the detection tool as follows:

cd /usr/local/sbin/detection_tool
make

This creates the program /usr/local/sbin/detection_tool/detection_tool. I want to have it directly in the /usr/local/sbin directory and name it rst_detection_tool, so we can either create a symlink:

cd /usr/local/sbin
ln -s detection_tool/detection_tool rst_detection_tool

Or we move detection_tool/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/detection_tool rst_detection_tool

 

2 Use The Linux/RST-B Detection Tool

Now we can use the detection tool as follows:

Outside the /usr/local/sbin directory:

rst_detection_tool [-v] <path>

Inside the /usr/local/sbin directory we must prepend ./:

./rst_detection_tool [-v] <path>

So if you want to scan your whole file system, you'd simply use:

rst_detection_tool /

or

./rst_detection_tool /

if you are in /usr/local/sbin.

On a clean system the output looks as follows:

server2:/usr/local/sbin# ./rst_detection_tool /
Sophos Rst-B Detection Tool
---------------------------
Copyright (c) 2008 Sophos Plc. All rights reserved.

Scanned 43134 files, found 0 infections of Linux/Rst-B.
End of scan.
server2:/usr/local/sbin#

 

3 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by matthewboh (registered user) on Wed, 2008-02-27 15:46.

Why isn't this issue listed in CERT?  Is it that new?

 http://search.cert.org/query.html?col=general&col=history&col=orgsec&col=response&col=secsys&col=sftassur&col=training&qt=rst-b&charset=iso-8859-1

Submitted by laser2k (registered user) on Mon, 2008-03-03 12:32.
No, it's not new, it's over 6 years old. The author seems to have missed the point of the original press release published by Sophos - http://www.sophos.com/pressoffice/news/articles/2008/02/rstbtool.html, which is that the Rst-B virus is a secondary infection which the more up-to-date tools that hackers are using are infected with (probably wihout realising)