Scanning for rootkits with chkrootkit
Defense in depth is one of the basic tenets of server administration. Up to date and secure installations, firewalls, limiting ssh access and strong passwords are the front line.
But what about ‘inside’ the server? One method of monitoring the content of a server is to scan for rootkits on a regular basis.
Perhaps I should clarify what I mean by defense. Scanning for rootkits will not stop them, it is not an active defense method but more of a passive defense method.
By saying that, I mean if your server has been compromised then a scan will not stop the rootkit and there is, to be blunt, not a lot you can do about it. By all means have a go but the general consensus is that if your server has been compromised then start again from fresh.
That seems dramatic. Well, yes it does and I don’t have the space to go into everything here but if someone has got past your defenses and placed a rootkit (as an example) on your server then you have little choice but to start again.
This article is about the scanning mechanism rather than how something may have entered your system. It is about checking the validity of the server content.
Scanning is easily done and can be automated so you spend less time with mundane and repetitive administration tasks.
from: http://www.usefuljaja.com/2007/6/scanning-for-rootkits
We’re going to install chkrootkit from source. It is available from most repositories but installing from source ensures we have not installed a compromised scanning system (it’s been known to happen!).
I hope I’m not projecting paranoia here but rather instilling sensible procedures in your server administration journey.
Let’s go. Log into your VPS and navigate to your sources directory:
cd ~/sourcesFetch the latest chkrootkit version:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gzUnpack the download and move into the new directory:
tar xvfz chkrootkit.tar.gz
cd chkrootkit-0.47Note that in this example, I have downloaded and unpacked version 0.47. Ensure you have at least that version - the commands above automatically download the latest version for you.
Now you need to compile the program which will take about a second:
make senseYou can keep the folder in your sources directory or move the whole thing elsewhere more convenient for you. In this example, I will keep it in the sources directory.
To run the chkrootkit, simply give the command as the super user:
su./chkrootkit
The checks that are performed will be displayed and will scroll past quickly - you will receive a warning at the end if it is suspected that an exploit has been found. A warning would look similar to this:
Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
You have 9 process hidden for readdir command
You have 11 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installedAs already said and as recommended - if you are infected you need to reinstall with a fresh image.
Naturally, all this can be automated with a cron job. As the procedure needs to be run as root, enter the root crontab configuration:
sudo crontab -eThe recommended method (from the chkrootkit website), using the sources directory from this example, is as follows:
0 3 * * * (cd /home/paul/sources/chkrootkit-0.47; ./chkrootkit 2>&1 | mail -s "chkrootkit output" admin@yourdomain.com)That will run the command at 3am every day and email the results to the specified address.
As you can see, actually installing and running the chkrootkit programme is pretty simple. I’ve added a bit of sysadmin ‘philosophy’ behind it so it may look like more effort than it actually is.
No Posts Found
Tags: chkrootkit, rootkit