How To Check If Your Server Is Infected With The Linux/Rst-B Backdoor (Debian Etch)
Version 1.0
Author: Falko Timme
Linux Rst-B is a backdoor that can be used to add your server to botnets (see http://www.heise.de/newsticker/meldung/103563 (in German)). This short guide explains how you can install and use the Sophos Linux/RST-B detection tool to check your Debian Etch server and find out if it is infected with Linux Rst-B.
I do not issue any guarantee that this will work for you!
1 Download And Install The Sophos Linux/RST-B Detection Tool
I want to install the Linux/RST-B detection tool in the /usr/local/sbin directory (so that the detection tool is in our PATH later on):
cd /usr/local/sbin
wget http://www.sophos.com/support/cleaners/detection_tool.tar.gz
tar xvfz detection_tool.tar.gz
You should then find the contents of the tar.gz file in the /usr/local/sbin/detection_tool directory.
There are two ways of installing the detection tool: you can either use the pre-compiled binary that you can find in the /usr/local/sbin/detection_tool/pre-compiled directory, or you compile it yourself. I'll show both ways now.
1.1 Use The Pre-Compiled Binary
To use the pre-compiled binary, we can either simply create a symlink called rst_detection_tool from the /usr/local/sbin directory to detection_tool/pre-compiled/detection_tool:
cd /usr/local/sbin
ln -s detection_tool/pre-compiled/detection_tool rst_detection_tool
Or we move detection_tool/pre-compiled/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:
cd /usr/local/sbin
mv detection_tool/pre-compiled/detection_tool rst_detection_tool
1.2 Build The Detection Tool From The Sources
To compile the detection tool from the sources, we first install the package build-essential:
apt-get install build-essential
Afterwards we build the detection tool as follows:
cd /usr/local/sbin/detection_tool
make
This creates the program /usr/local/sbin/detection_tool/detection_tool. I want to have it directly in the /usr/local/sbin directory and name it rst_detection_tool, so we can either create a symlink:
cd /usr/local/sbin
ln -s detection_tool/detection_tool rst_detection_tool
Or we move detection_tool/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:
cd /usr/local/sbin
mv detection_tool/detection_tool rst_detection_tool
2 Use The Linux/RST-B Detection Tool
Now we can use the detection tool as follows:
Outside the /usr/local/sbin directory:
rst_detection_tool [-v] <path>
Inside the /usr/local/sbin directory we must prepend ./:
./rst_detection_tool [-v] <path>
So if you want to scan your whole file system, you'd simply use:
rst_detection_tool /
or
./rst_detection_tool /
if you are in /usr/local/sbin.
On a clean system the output looks as follows:
server2:/usr/local/sbin# ./rst_detection_tool /
Sophos Rst-B Detection Tool
---------------------------
Copyright (c) 2008 Sophos Plc. All rights reserved.
Scanned 43134 files, found 0 infections of Linux/Rst-B.
End of scan.
server2:/usr/local/sbin#
3 Links
- Sophos Linux/RST-B Detection Tool: http://www.sophos.com/rst-detection-tool
- Debian: http://www.debian.org