HOWTO: Linux/Rst-B Scanning

As much as we all love to rave about how secure *nix installs are, it -is- still possible to get infected by the one or two variants of malware out there. Some admins (myself included at points) get lulled into a sense of security knowing that we've got billions of Windows machines acting as human shields to protect us, but we do need to take steps to make sure we don't become part of the botnet brigade.

There is one package out there (Linux/Rst-B) that seems to be the most common (relatively speaking) issue out there for *nix, and there is a handy tool for detecting it. It comes with a pre-compiled binary for Debian (which works in Ubuntu as well).

We're going to put it in /usr/local/sbin, so that it is on the path for later on:

sudo su -
cd /usr/local/sbin/
wget http://www.sophos.com/support/cleaners/detection_tool.tar.gz
tar xvfz detection_tool.tar.gz

I realize that you can just sudo the wget and extraction commands if you don't have write privs on sbin/, but hey, I'm lazy.

This will extract the detection_tool/ directory, which gives you the source and the pre-compiled binaries. To compile from source:

cd /usr/local/sbin/detection_tool
make

Copy the binary to the sbin/ directory with link:

ln -s /usr/local/sbin/detection_tool/pre-compiled/detection_tool /usr/local/sbin/rst_detection_tool

OR, if compiled from source:

ln -s /usr/local/sbin/detection_tool/detection_tool /usr/local/sbin/rst_detection_tool

To use:

rst_detection_tool [-v] (path)

So to scan the entire filesystem:

rst_detection_tool /

If all is well, you'll get this output:

root@ubuShock:/usr/local/sbin# rst_detection_tool /
Sophos Rst-B Detection Tool
---------------------------
Copyright (c) 2008 Sophos Plc. All rights reserved.

Scanned 681699 files, found 0 infections of Linux/Rst-B.
End of scan.
root@ubuShock:/usr/local/sbin# 

Anyway, best of luck.

NOTE: This howto taken from Howtoforge - Which is a great place for howtos relating to linux. I've altered it a bit to make it a bit easier to read IMHO.