SSH Rootkit Test
Tests SSH, OpenSSL and LibKey Utils to see if they have been compromised. These tests do not guarantee your server has not been compromised but will do some quick tests to help determine if binaries have been compromised.
Note: In Demo mode, example data is provided rather than actually running the tests.
Testing SSH Binary for Illegal -G option: Appears Clean
Testing Binaries for Valid Signatures:
Testing OpenSSH: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
Testing OpenSSH Server: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
Testing OpenSSL: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
Testing KeyUtils Libraries: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
If any of the above returns "No Signature" it's likely infected, which means removing and reinstalling that binary ASAP, then reboot the box, change your root password. You should also consider employing the services of a security expert to determine how much damage has been done to your system.
Testing for possible malicious SUID Binaries:
Testing SSH Binary for Illegal -G option: Appears Clean
Testing Binaries for Valid Signatures:
Testing OpenSSH: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
Testing OpenSSH Server: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
Testing OpenSSL: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
Testing KeyUtils Libraries: Signature : RSA/SHA1, Sun Nov 24 14:32:56 2013, Key ID 0858fca2c105b9de
If any of the above returns "No Signature" it's likely infected, which means removing and reinstalling that binary ASAP, then reboot the box, change your root password. You should also consider employing the services of a security expert to determine how much damage has been done to your system.
Testing for possible malicious SUID Binaries: