Select Page

chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the ‘ps’ command.

Log to the server with ssh as root user

Download 
chkrootkit.
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

Unpack the chkrootkit you just downloaded.
# tar xvzf chkrootkit.tar.gz

go to that  directory
# cd chkrootkit

Compile
# make sense

Run
# chkrootkit

 
•Receive e-mail everyday with the result chkrootkit
For Root user
# crontab -e
For any user
# crontab -e -u username

and add

•0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c mailadr[email protected],[email protected] [email protected])
* the correct path can be found with which chkrootkit
This will run chkrootkit at 3:00 am every day, and e-mail the output to [email protected] and copies to [email protected] and [email protected]

False alarms:
 "Checking `bindshell'... INFECTED (PORTS: 465)"  This is normal and  NOT really a rootkit.

Nota
If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed….)

Links
chkrootkit

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments

Categories

0
Would love your thoughts, please comment.x
()
x