chkrootkit
chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the ‘ps’ command.
Log to the server with
Download chkrootkit.
Unpack the chkrootkit you just downloaded.
go to that directory
Compile
Run
ssh as root userDownload chkrootkit.
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gzUnpack the chkrootkit you just downloaded.
# tar xvzf chkrootkit.tar.gzgo to that directory
# cd chkrootkitCompile
# make senseRun
# chkrootkitReceive e-mail everyday with the result chkrootkit
For Root user
For any user
For Root user
# crontab -e For any user
# crontab -e -u usernameand add
0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c [email protected],[email protected] [email protected]) * the correct path can be found with
This will run chkrootkit at 3:00 am every day, and e-mail the output to
which chkrootkit This will run chkrootkit at 3:00 am every day, and e-mail the output to
[email protected] and copies to [email protected] and [email protected]False alarms:
"Checking `bindshell'... INFECTED (PORTS: 465)" This is normal and NOT really a rootkit.
Nota
If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed….)
If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed….)
Links
chkrootkit
