If your system has been compromised, you shouldn't trust anything.
I think usually the standard utilities will mostly work correctly, but leave out stuff related to the attacker's processes. Rootkits are designed this way so you're less likely to notice that the machine is compromised. So I think you can generally trust them for looking at your own processes, but not for making sure a rootkit is gone.
If the attacker can load kernel modules, or otherwise modify the kernel, even the system calls and /proc
API can lie. So even a clean copy of the user-space utilities like ps
, or grep foo /proc/*/cmdline
, won't tell you if there's a malicious process running. Any rootkit worth its salt will hide its own processes.
Every file on the entire system is like radioactive waste, that can potentially contaminate other stuff if you aren't careful. e.g. an attacker might have added something to /home/*/.bashrc
to re-infect your system in case you reinstall the OS but don't check /home
.
Similarly, there can be nasty stuff in your web server config, or in your CGI scripts, etc. Compare against backups, and don't assume anything is safe if the attacker could have touched it.
Definitely do any and all checking of untrusted data on a known-clean machine. As long as you don't run anything from the compromised system, you should be ok. (i.e. assuming cmp
and diff
don't have any vulnerabilities. But note that strings
isn't safe on untrusted files, depending on the version of libbfd
. Use strings -a
.