Rootkit Check with Chkrootkit

Chkrootkit is a powerful tool to scan the Linux server for trojans. Let’s install Chkrootkit, scan the Linux server and setup a daily automated scanning job that will email the nicely report to me
.Installing CHKROOTKIT Version 0.42b (Sept. 20 2003)

1. Use admin account SSH log in the Linux server. DO NOT use telnet, it should be disabled anyways.

2. Switch to root.

su –

3. Type the following to get the program.

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

4. Unpack the tarball using the command.

tar xvzf chkrootkit.tar.gz

5. Change to the directory it created.

cd chkrootkit*

6. Compile by typing

make sense

7. To use chkrootkit, just type the command

./chkrootkit

Everything it outputs should be ‘not found’ or ‘not infected’…

Important Note: If you see ‘Checking `bindshell’… INFECTED (PORTS: 465)’ read on. I’m running PortSentry/klaxon. What’s wrong with the bindshell test? If you’re running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

8. Now, change to directory

cd ..

9. Then remove the .gz file

rm chkrootkit.tar.gz

Daily Automated System Scan with Emails Sending You a Report

1. While in SSH run the following:

pico /etc/cron.daily/chkrootkit.sh

2. Insert the following to the new file:

#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s “Daily chkrootkit from Servername” admin@youremail.com

Important:
– Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
– Change ‘Servername’ to the server your running so you know where it’s coming from.
– Change ‘admin@youremail.com’ to your email address where the script will mail you.

3. Now save the file in SSH:

Ctrl+X then type Y

4. Change the file permissions so we can run it:

chmod 755 /etc/cron.daily/chkrootkit.sh

5. If you like, you can run a test report manually in SSH to see how it looks:

cd /etc/cron.daily/
./chkrootkit.sh

Now a nice report will be sent to me by email everyday. In other words I don’t have to run the Rootkit check manually.

You may also like...