How To Check If Your Server Is Infected With The Linux/Rst-B Backdoor (Debian Etch)

Version 1.0
Author: Falko Timme

Linux Rst-B is a backdoor that can be used to add your server to botnets (see (in German)). This short guide explains how you can install and use the Sophos Linux/RST-B detection tool to check your Debian Etch server and find out if it is infected with Linux Rst-B.

I do not issue any guarantee that this will work for you!


1 Download And Install The Sophos Linux/RST-B Detection Tool

I want to install the Linux/RST-B detection tool in the /usr/local/sbin directory (so that the detection tool is in our PATH later on):

cd /usr/local/sbin
tar xvfz detection_tool.tar.gz

You should then find the contents of the tar.gz file in the /usr/local/sbin/detection_tool directory.

There are two ways of installing the detection tool: you can either use the pre-compiled binary that you can find in the /usr/local/sbin/detection_tool/pre-compiled directory, or you compile it yourself. I'll show both ways now.


1.1 Use The Pre-Compiled Binary

To use the pre-compiled binary, we can either simply create a symlink called rst_detection_tool from the /usr/local/sbin directory to detection_tool/pre-compiled/detection_tool:

cd /usr/local/sbin
ln -s detection_tool/pre-compiled/detection_tool rst_detection_tool

Or we move detection_tool/pre-compiled/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/pre-compiled/detection_tool rst_detection_tool


1.2 Build The Detection Tool From The Sources

To compile the detection tool from the sources, we first install the package build-essential:

apt-get install build-essential

Afterwards we build the detection tool as follows:

cd /usr/local/sbin/detection_tool

This creates the program /usr/local/sbin/detection_tool/detection_tool. I want to have it directly in the /usr/local/sbin directory and name it rst_detection_tool, so we can either create a symlink:

cd /usr/local/sbin
ln -s detection_tool/detection_tool rst_detection_tool

Or we move detection_tool/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/detection_tool rst_detection_tool


2 Use The Linux/RST-B Detection Tool

Now we can use the detection tool as follows:

Outside the /usr/local/sbin directory:

rst_detection_tool [-v] <path>

Inside the /usr/local/sbin directory we must prepend ./:

./rst_detection_tool [-v] <path>

So if you want to scan your whole file system, you'd simply use:

rst_detection_tool /


./rst_detection_tool /

if you are in /usr/local/sbin.

On a clean system the output looks as follows:

server2:/usr/local/sbin# ./rst_detection_tool /
Sophos Rst-B Detection Tool
Copyright (c) 2008 Sophos Plc. All rights reserved.

Scanned 43134 files, found 0 infections of Linux/Rst-B.
End of scan.


Falko Timme

About Falko Timme

Falko Timme is an experienced Linux administrator and founder of Timme Hosting, a leading nginx business hosting company in Germany. He is one of the most active authors on HowtoForge since 2005 and one of the core developers of ISPConfig since 2000. He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

Suggested articles

2 Comment(s)

Add comment



Why isn't this issue listed in CERT?  Is it that new?


No, it's not new, it's over 6 years old. The author seems to have missed the point of the original press release published by Sophos -, which is that the Rst-B virus is a secondary infection which the more up-to-date tools that hackers are using are infected with (probably wihout realising)