Things to check in a unknown Unix System. Daniel B. Cid http://www.ossec.net/rootcheck/ The purpose of this article is to explain some important steps to check the integrity of a Unix system and show how the rootcheck software looks for this possible problems. 1- Check the binaries 2- Check for hidden/malicious open ports 3- Check the interfaces 4- Check the passwd files 5- Check the configuration files 6- Check the log files 7- Check for hidden process 8- Check for public rootkits 9- Check the /dev 10- Check all the system for malicious files/directories 1- Check the binaries *The best thing to keep the integrity of the binaries of a system is to create a list with all the MD5 hashs of all the files (after the installation). Regularly compare this list with the actual MD5 hashs of the files. 1.1 - Check the most important system binaries for possible trojan entries. (A lot of this entries is from the chkrootkit). I try to improve this "trojaned entries" to be as restrict as possible. See the file db/bin.txt for more info. 2 - Check hidden/malicious open ports When an "attacker" break your system, he will try to keep his access on it. To do it, they regularly install backdoors and try to hide it from the system admin. 2.1 - Check all the open ports (tcp and udp). 2.2 - Compare with the result of netstat. If some port is open and "netstat" is not listing it, is because an attacker trojaned "netstat" or installed a LKM to hide this port. 2.3 - Check if one of any open port is used by some rootkit. 3 - Check the interfaces Generally, when a cracker break a system, he will install a sniffer to try to get some passwords. To do this, he puts the ethernet interface in promiscuous mode. 3.1 - Check all interfaces to see if someone is in promiscuous mode. 3.2 - If the interface is in promiscuos mode, check to see if the "ifconfig" command is show that. If not, your "ifconfig" was trojaned. 4 - Check the password files. 4.1 - Check to see if /etc/passwd has the same number of lines/users than /etc/shadow (/etc/master.passwd in OpenBSD). 4.2 - Check if any user has a blank password. 4.3 - Check if any "system user" has shell access. 5 - Check some important configuration files. 5.1 - Check if any configuration file has some strange entry. 5.2 - Check some importants configuration files for mis-configuration. 5.3 - Check the permission of some configuration files. 6 - Check the log files 6.1 - Check the /etc/syslog.conf and the files specified there. These files need to exist and can not be a link to somewhere else. 6.2 - Check if syslogd is running. 7- Check for hidden process 7.1- Check /proc and "ps" for hidden process 8- Check for public rootkits 8.1- Check the directories/files for possible rootkits. 9 - Check all files inside the /dev 9.1- Inside the /dev, all the files must be devices. If you find any file that is not a device, look carefully at it. 9.2- The /dev/core must be a link to /proc/kcore (can be different in so me distributions). 9.3- The only allowed files (normal) inside the /dev/ is the MAKEDEV and the README.MAKEDEV. 10 - Check all the system for malicious files and hidden directories/files 10.1- Check all files containing a point "." before the name. This kind of file is hidden from the simple "ls" and can not be inside the /bin, /sbin/, /var/, /lib. 10.2- Check if any file has a strange character, like @,&,%. 10.3- Check the suid/sgid files. 10.4- Check if any history file is linked (to /dev/null, for example). 10.5- Check the modification date of some binaries.