Main Menu

Recommended sites

Add to MyYahoo!
Subscribe in NewsGator Online
Add to Newsburst
Add to Google
Add to My AOL
Add to Pluck
Subscribe in FeedLounge
Add to Windows Live
Add to NetVibes
Subscribe in Rojo
Subscribe in Bloglines
Add to MyMSN
Add to Plusmo for your cellphone
Add to PageFlakes
Add to Technorati
Add to BlinkBits
chkrootkit Print E-mail
User Rating: / 0
PoorBest 
Friday, 20 July 2007 00:48
chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the 'ps' command.
Log to the server with ssh as root user

Download chkrootkit.
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

Unpack the chkrootkit you just downloaded.
# tar xvzf chkrootkit.tar.gz

go to that  directory
# cd chkrootkit

Compile
# make sense

Run
# chkrootkit

 
•Receive e-mail everyday with the result chkrootkit
For Root user
# crontab -e
For any user
# crontab -e -u username

and add
•0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c  This e-mail address is being protected from spambots, you need JavaScript enabled to view it , This e-mail address is being protected from spambots, you need JavaScript enabled to view it This e-mail address is being protected from spambots, you need JavaScript enabled to view it )

* the correct path can be found with which chkrootkit
This will run chkrootkit at 3:00 am every day, and e-mail the output to  This e-mail address is being protected from spambots, you need JavaScript enabled to view it and copies to This e-mail address is being protected from spambots, you need JavaScript enabled to view it and This e-mail address is being protected from spambots, you need JavaScript enabled to view it

False alarms:
 "Checking `bindshell'... INFECTED (PORTS: 465)"  This is normal and  NOT really a rootkit.

Nota
If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....)

Links
chkrootkit
Comments
Add New Search RSS
Write comment
Name:
Email:
 
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
:):grin;)8):p:roll:eek:upset:zzz:sigh:?:cry
:(:x
Please input the anti-spam code that you can read in the image.

3.20 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
Last Updated ( Friday, 20 July 2007 00:55 )
 

Another articles:


Content View Hits : 2426242

Enter Amount:

demo.waltercedric.com.jpg
demo2.waltercedric.com.jpg
forums.waltercedric.com.jpg
bugs.waltercedric.com.jpg
gallery.waltercedric.com.jpg
wiki.waltercedric.com.jpg

Popular