Re: Rootkit discovery tools

[David Taylor <ltr () ISC UPENN EDU>]

Hi Caroline,

From the local machine that you want to identify as having a rootkit or not
(this could be scripted, btw) you would do a netstat -nao > netstat.txt.
You would then use nmap to do a full port scan (nmap -sS -P0 -p- ip).
Compare the results of the nmap scan against the results of the netstat.  If
you see an open port in the nmap scan that does not show up on the local
netstat it would indicate a possible rootkit.

Computer Manager is the Computer Management Console.  Sorry for the
confusion.  You will need admin access to the remote system as well as
access through a firewall if applicable.  You simply right click on
"Computer Management" from within the Computer Management console and choose
"Connect to another computer".  From there you can look through the services
and compare what is showing up locally.  If something shows up from the
remote console that doesn't show up in the local one it is likely a rootkit
hiding it.  You can also remotely stop the service the rootkit is running on
(most of the time).

And good for you on rebuilding the systems if they are compromised!


On 6/27/06 9:42 AM, "Caroline Couture" <caroline () pobox upenn edu> wrote:

> Hey Dave,
>
> I saw this post on the security list and I had some questions about it.
>
>
> Quoting David Taylor <ltr () ISC UPENN EDU>:
> [snip]
> > Do a netstat ­nao on the local machine and then do a remote port scan with a
> > tool such as nmap.  If something shows up in the nmap scan that doesn¹t show
> > as listening on the netstat there is likely a rootkit.
>
> How would do this kind of scan? Would you have the computer on the network and
> scan the ip with nmap or do something else so the computer is not live on the
> network?
>  
> > Also, connecting the the remote system with computer manager will let you
> > see hidden services.  Open the services on the local machine and compare to
> > the remote listing.  This goes for the registry as well
>
> Not sure what you mean by this? Can you explain? I don't know what computer
> manager is. There is Computer Management, part of admin tools in control
> panel,
> that lets you see local services running? How do you look at services
> remotely?
>
> Thanks for answering these questions if you can, and if you have the time.. I
> always want to learn new things. Even if the system usually gets rebuilt
> anyway. :)
>
> Caroline


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader