About Chkrootkit
chkrootkit is a collection of tools to detect the presence of rootkits, and is a gift to Linux systems administrators for two specific reasons:
- it is a free, open source utility, and available for multiple distros,
- it detects almost all the latest rootkits out there, since the open source community of contributors keeps it up to date.
Over time, the Chkrootkit scan engine has also improved, making it faster, which is especially useful in performing detailed kernel checks against a number of supported kit detections.
A few great features of chkrootkit are that it detects more than 60 old and new kits, is capable of detecting network interfaces in promiscuous mode, can efficiently detect altered
lastlog and wtmp files (which in turn alerts admins about intrusions), has easy command-line access with straightforward options, and has a verbose output mode to help admins automate tasks.chkrootkit uses C and shell scripts to perform a detailed process check, and scans systems binaries to detect kit signatures. Upon detection, in most cases, it can remove rootkits too. It also has a few algorithms that can report trends of a possible rootkit, even if it is not yet officially supported. The following lists the chkrootkit internal programs and what each of them do.
| chkrootkit Program | Purpose |
| chkrootkit | Main script to check for tampered system files |
| strings.c | Detects and performs string replacement |
| ifpromisc.c | Checks network interface for promiscuous mode |
| chklastlog.c, chkwtmp.c | Checks if lastlog and wtmp entries are deleted |
| chkproc.c, chkdirs.c | Checks for Linux kernel module-based Trojans |
Installation
Follow these steps to install ChkRootKit
cd /usr/local/src/
– Down load the chkrootkit.
# wget http://www.spenneberg.org/chkrootkit-mirror/files/chkrootkit.tar.gz
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
- Unpack the chkrootkit you just downloaded.
# tar -xvzf chkrootkit.tar.gz
- Change to new directory
# cd chkrootkit-*
(select the version )
- Compile chkrootkit
# make sense
- Run chkrootkit
# ./chkrootkit
How to setup a daily scan report?
- Load crontab
# crontab -e
- Add this line to the top:
===============================================================>
0 1 * * * (cd /usr/local/src/chkrootkit*; ./chkrootkit 2>&1 | mail -s “chkrootkit output” email@domain.com)
===============================================================>
No comments:
Post a Comment