How To Check If Your Server Is Infected With The Linux/Rst-B Backdoor (Debian Etch)

Version 1.0
Author: Falko Timme
Last edited 02/15/2008

Linux Rst-B is a backdoor that can be used to add your server to botnets (see http://www.heise.de/newsticker/meldung/103563 (in German)). This short guide explains how you can install and use the Sophos Linux/RST-B detection tool to check your Debian Etch server and find out if it is infected with Linux Rst-B.

I do not issue any guarantee that this will work for you!

 

1 Download And Install The Sophos Linux/RST-B Detection Tool

I want to install the Linux/RST-B detection tool in the /usr/local/sbin directory (so that the detection tool is in our PATH later on):

cd /usr/local/sbin
wget http://www.sophos.com/support/cleaners/detection_tool.tar.gz
tar xvfz detection_tool.tar.gz

You should then find the contents of the tar.gz file in the /usr/local/sbin/detection_tool directory.

There are two ways of installing the detection tool: you can either use the pre-compiled binary that you can find in the /usr/local/sbin/detection_tool/pre-compiled directory, or you compile it yourself. I'll show both ways now.

 

1.1 Use The Pre-Compiled Binary

To use the pre-compiled binary, we can either simply create a symlink called rst_detection_tool from the /usr/local/sbin directory to detection_tool/pre-compiled/detection_tool:

cd /usr/local/sbin
ln -s detection_tool/pre-compiled/detection_tool rst_detection_tool

Or we move detection_tool/pre-compiled/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/pre-compiled/detection_tool rst_detection_tool

 

1.2 Build The Detection Tool From The Sources

To compile the detection tool from the sources, we first install the package build-essential:

apt-get install build-essential

Afterwards we build the detection tool as follows:

cd /usr/local/sbin/detection_tool
make

This creates the program /usr/local/sbin/detection_tool/detection_tool. I want to have it directly in the /usr/local/sbin directory and name it rst_detection_tool, so we can either create a symlink:

cd /usr/local/sbin
ln -s detection_tool/detection_tool rst_detection_tool

Or we move detection_tool/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/detection_tool rst_detection_tool

 

2 Use The Linux/RST-B Detection Tool

Now we can use the detection tool as follows:

Outside the /usr/local/sbin directory:

rst_detection_tool [-v] <path>

Inside the /usr/local/sbin directory we must prepend ./:

./rst_detection_tool [-v] <path>

So if you want to scan your whole file system, you'd simply use:

rst_detection_tool /

or

./rst_detection_tool /

if you are in /usr/local/sbin.

On a clean system the output looks as follows:

server2:/usr/local/sbin# ./rst_detection_tool /
Sophos Rst-B Detection Tool
---------------------------
Copyright (c) 2008 Sophos Plc. All rights reserved.

Scanned 43134 files, found 0 infections of Linux/Rst-B.
End of scan.
server2:/usr/local/sbin#

 

3 Links

Share this page:

2 Comment(s)

Add comment

Comments

From: at: 2008-02-27 14:46:55

Why isn't this issue listed in CERT?  Is it that new?

 http://search.cert.org/query.html?col=general&col=history&col=orgsec&col=response&col=secsys&col=sftassur&col=training&qt=rst-b&charset=iso-8859-1

From: at: 2008-03-03 11:32:14

No, it's not new, it's over 6 years old. The author seems to have missed the point of the original press release published by Sophos - http://www.sophos.com/pressoffice/news/articles/2008/02/rstbtool.html, which is that the Rst-B virus is a secondary infection which the more up-to-date tools that hackers are using are infected with (probably wihout realising)