Select Page

chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the ‘ps’ command.

Log to the server with ssh as root user

Download 
chkrootkit.
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

Unpack the chkrootkit you just downloaded.
# tar xvzf chkrootkit.tar.gz

go to that  directory
# cd chkrootkit

Compile
# make sense

Run
# chkrootkit

 
•Receive e-mail everyday with the result chkrootkit
For Root user
# crontab -e
For any user
# crontab -e -u username

and add

•0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c [email protected],[email protected] [email protected])
* the correct path can be found with which chkrootkit
This will run chkrootkit at 3:00 am every day, and e-mail the output to [email protected] and copies to [email protected] and [email protected]

False alarms:
 "Checking `bindshell'... INFECTED (PORTS: 465)"  This is normal and  NOT really a rootkit.

Nota
If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed….)

Links
chkrootkit

About The Author

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories