chkrootkit is a shell script that examines your system's binaries for rootkit installations. It is a security scanner which helps the administrators to search the local system for signs that it is infected with a ‘rootkit’.
A rootkit can be considered as a malicious program which can take control of your system once infected. It is also considered as a backdoor in your system without system user knowing about it's presence.
1. Download and Installation of chkrootkit
First login as root, then issue these commands:
# cd /usr/local/src
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar -zxvf chkrootkit.tar.gz
# mkdir /usr/local/chkrootkit
# mv /usr/local/src/chkrootkit*/* /usr/local/chkrootkit
# cd /usr/local/chkrootkit
# make sense
The directory contains:
- chkrootkit: a shell script that checks system binaries for rootkit modification.
- ifpromisc.c: checks if the network interface is in promiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
2. Setting up a CronJob
Cronjobs enable scheduled scanning of your file system and send email notifications to specified your email id.
Create run-file in the following location.
Then add this following shell script lines
#!/bin/sh
(
/usr/local/chkrootkit/
)| /bin/mail -s 'CHROOTKIT Daily Run (PutServerNameHere)' your@email.here
Then set execution permission:
# chmod 700 /etc/cron.daily/chkrootkit.sh
Important: Remember to change: (PutYourServerNameHere) AND your@email.here to a valid server name / e-mail address
3. Manual Scan
You can initiate a manual scan by issuing the following command as root:
# /usr/local/chkrootkit/
Your scan results should look as follows:
ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected . . . Checking `sniffer'... lo: not promisc and no packet sniffer sockets eth0: PACKET SNIFFER(/sbin/dhclient[1126]) Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... chkutmp: nothing deleted Checking `OSX_RSPLUG'... not infectedINFECTED: the test has identified a command probably modified by a known rootkit;
not infected: the test didn't find any known rootkit signature.
not tested: the test was not performed -- this could happen in the following situations: a) the test is OS specific; b) the test depends on an external program that is not available; c) some specific command line options are given. (e.g. -r ). "not found": the command to be tested is not available;
Vulnerable but disabled: the command is infected but not in use. (not running or commented in inetd.conf)
This tool is useful in detecting malwares and it adds up extra security measure in your system. The more layers you have, the better chance you have at either mitigating the attack.
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X.
For more info you can checkout their website @ http://chkrootkit.org/
Congratulations! you have now completed installing and configuring chkrootkit.
0 comments:
Post a Comment