Rootkit Check with Chkrootkit
Chkrootkit is a powerful tool to scan the Linux server for trojans. Let’s install Chkrootkit, scan the Linux server and setup a daily automated scanning job that will email the nicely report to me
.Installing CHKROOTKIT Version 0.42b (Sept. 20 2003)
1. Use admin account SSH log in the Linux server. DO NOT use telnet, it should be disabled anyways.
2. Switch to root.
3. Type the following to get the program.
4. Unpack the tarball using the command.
5. Change to the directory it created.
6. Compile by typing
7. To use chkrootkit, just type the command
Everything it outputs should be ‘not found’ or ‘not infected’…
Important Note: If you see ‘Checking `bindshell’… INFECTED (PORTS: 465)’ read on. I’m running PortSentry/klaxon. What’s wrong with the bindshell test? If you’re running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
8. Now, change to directory
9. Then remove the .gz file
Daily Automated System Scan with Emails Sending You a Report
1. While in SSH run the following:
2. Insert the following to the new file:
./chkrootkit | mail -s “Daily chkrootkit from Servername” firstname.lastname@example.org
– Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
– Change ‘Servername’ to the server your running so you know where it’s coming from.
– Change ‘email@example.com’ to your email address where the script will mail you.
3. Now save the file in SSH:
4. Change the file permissions so we can run it:
5. If you like, you can run a test report manually in SSH to see how it looks:
Now a nice report will be sent to me by email everyday. In other words I don’t have to run the Rootkit check manually.