Can we trust the information displayed by the linux utility commands for a vulnerable machine?

As the system is compromised, nothing is to be trusted via way of tools. Unless you have the tools validated (e.g. Tripwire FIM), your best bet is to take a similar system, copy over what is necessary, which should run if the systems are similar in architecture, etc. This is not the optimal method though. Because the machine is compromised, depending on your next steps (legal, authorities, etc), you would create a forensic image, then deal with what occurred as you have your copy. Once you have your copy, you need to determine the risk associated with putting the system back online, etc.

If you have determined how an attacker got onto the system, you would need to clean up that 'hole' (vulnerability, misconfiguration) in order to be sure they don't return. Sometimes this can be more time consuming versus installing a clean system. But let's say you need 'that' system. You could reinstall ps with something like: apt-get install --reinstall procps same applies for lsof. You would want to make sure your repos were not changed, and your DNS is not pointing to a non-trusted repo.

For the most part to answer your question: Can we trust the information displayed by the linux utility commands the answer is you absolutely should not. Little on that system should be trusted until a thorough analysis is performed.


If your system has been compromised, you shouldn't trust anything.

I think usually the standard utilities will mostly work correctly, but leave out stuff related to the attacker's processes. Rootkits are designed this way so you're less likely to notice that the machine is compromised. So I think you can generally trust them for looking at your own processes, but not for making sure a rootkit is gone.


If the attacker can load kernel modules, or otherwise modify the kernel, even the system calls and /proc API can lie. So even a clean copy of the user-space utilities like ps, or grep foo /proc/*/cmdline, won't tell you if there's a malicious process running. Any rootkit worth its salt will hide its own processes.

Every file on the entire system is like radioactive waste, that can potentially contaminate other stuff if you aren't careful. e.g. an attacker might have added something to /home/*/.bashrc to re-infect your system in case you reinstall the OS but don't check /home.

Similarly, there can be nasty stuff in your web server config, or in your CGI scripts, etc. Compare against backups, and don't assume anything is safe if the attacker could have touched it.


Definitely do any and all checking of untrusted data on a known-clean machine. As long as you don't run anything from the compromised system, you should be ok. (i.e. assuming cmp and diff don't have any vulnerabilities. But note that strings isn't safe on untrusted files, depending on the version of libbfd. Use strings -a.


Probably, but not necessarily. The attacker could always replace the programs with modified versions of their own if they had root access.