How To Check If Your Server Is Infected With The Linux/Rst-B Backdoor (Debian Etch)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 02/15/2008

Linux Rst-B is a backdoor that can be used to add your server to botnets (see http://www.heise.de/newsticker/meldung/103563 (in German)). This short guide explains how you can install and use the Sophos Linux/RST-B detection tool to check your Debian Etch server and find out if it is infected with Linux Rst-B.

I do not issue any guarantee that this will work for you!

1 Download And Install The Sophos Linux/RST-B Detection Tool

I want to install the Linux/RST-B detection tool in the /usr/local/sbin directory (so that the detection tool is in our PATH later on):

cd /usr/local/sbin
wget http://www.sophos.com/support/cleaners/detection_tool.tar.gz
tar xvfz detection_tool.tar.gz

You should then find the contents of the tar.gz file in the /usr/local/sbin/detection_tool directory.

There are two ways of installing the detection tool: you can either use the pre-compiled binary that you can find in the /usr/local/sbin/detection_tool/pre-compiled directory, or you compile it yourself. I'll show both ways now.

1.1 Use The Pre-Compiled Binary

To use the pre-compiled binary, we can either simply create a symlink called rst_detection_tool from the /usr/local/sbin directory to detection_tool/pre-compiled/detection_tool:

cd /usr/local/sbin
ln -s detection_tool/pre-compiled/detection_tool rst_detection_tool

Or we move detection_tool/pre-compiled/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/pre-compiled/detection_tool rst_detection_tool

1.2 Build The Detection Tool From The Sources

To compile the detection tool from the sources, we first install the package build-essential:

apt-get install build-essential

Afterwards we build the detection tool as follows:

cd /usr/local/sbin/detection_tool
make

This creates the program /usr/local/sbin/detection_tool/detection_tool. I want to have it directly in the /usr/local/sbin directory and name it rst_detection_tool, so we can either create a symlink:

cd /usr/local/sbin
ln -s detection_tool/detection_tool rst_detection_tool

Or we move detection_tool/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/detection_tool rst_detection_tool

2 Use The Linux/RST-B Detection Tool

Now we can use the detection tool as follows:

Outside the /usr/local/sbin directory:

rst_detection_tool [-v] <path>

Inside the /usr/local/sbin directory we must prepend ./:

./rst_detection_tool [-v] <path>

So if you want to scan your whole file system, you'd simply use:

rst_detection_tool /

or

./rst_detection_tool /

if you are in /usr/local/sbin.

On a clean system the output looks as follows:

server2:/usr/local/sbin# ./rst_detection_tool /
Sophos Rst-B Detection Tool
---------------------------
Copyright (c) 2008 Sophos Plc. All rights reserved.

Scanned 43134 files, found 0 infections of Linux/Rst-B.
End of scan.
server2:/usr/local/sbin#

3 Links

• Sophos Linux/RST-B Detection Tool: http://www.sophos.com/rst-detection-tool
• Debian: http://www.debian.org