jump to navigation

Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software December 1, 2010

Posted by Tournas Dimitrios in Linux.

This article is not an introduction for what a rootkit is , later I ‘ll provide you some links to  articles that explains the basics and beyond . Lets get straight to the point , the 2 tools that will presented are not preventing or protecting your box from malicious intruders , they will be enabled by you to take action . If you suspect you’ve been hacked, this is a good first step toward confirmation and diagnosis . All  rootkits  serve the same purpose , that is, they prevent the intruder’s malicious software from showing screen output to the unsuspecting user, and they prevent the malicious software from leaving traces in the system logs.   They also prevent the malicious software from showing up in a “ps” or “top” process list. The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access daemon . You can try the following tools to detect Linux rootkits:

  • Chkrootkit Software
  • rkhunter software

These tools are not installed by defauld on any Linux distro , so they must be installed “manually” . For CentOs these packages are delivered from the Epel repository . The installation is simple , just run the commands :  “yum install chkrootkit ”  and   ” yum install  rkhunter ”  .

Chkrootkit and rkhunter invoke a handful of standard Linux commands , awk, cut, egrep, find, head , id, ls, netstat, ps, strings, sed, and uname. If these programs have been compromised on your system, chkrootkit‘s and rkhunter’s output cannot be trusted. So ideally, you should keep around a CD-ROM or write-protected floppy disk with these programs

Be sure to use the latest version of chkrootkit  and rkhunter , which will be aware of the most recently discovered threats.

rkhunter :

– rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.

rkhunter swithes (run as root)
– – check  or -c Type the following command to begin the diagnosis . After completion all results have been written to the logfile (/var/log/rkhunter.log)
–update This option causes rkhunter to check if there is a later version of any of its text data files
–check –bindir /mnt/safe tells rkhunter which directories to look in to find the various commands it requires
–propupd If you do a test and it discovers some programs have changed but you are sure that the changes occurred as the result of an upgrade you will want to upgrade those changes with rkhunter so that it does not continually report those as problems   .  Note that rkhunter will only be able to tell you that changes have occurred not why they have changed, that is your responsibility to find out.
–cronjob In order to run rkhunter as a  cron job, or without user input,  you must make a few modifications.  Other wise, during the course of its scan, it will stop several times and ask the user to press “Enter”.
–list rootkits This command option will list some of the supported capabilities of the program, and then exit. If combined with the rootkits option then it will lists the rootkits that rkhunter will search for.  If no specific option  is  given,  then  all  the
lists are displayed.
-l, –logfile [file] By default rkhunter will write out a log file. The default location of the file is /var/log/rkhunter.log. However, this location can be
changed by using this option. If /dev/null is specified as the  log file,  then  no  log  file  will be written. If no specific file is given, then the default will be used. By default rkhunter will create  a  new  log  file each time it is run. Any previously existing logfile is moved out of the way, and has .old appended to it.


chkrootkit :

chkrootkit: a shell script that checks system binaries for   rootkit modification.

chkrootkit command swithes (run as root)
chkrootkit don’t include man pages , so run rpm -ql | grep README$ , this will return the location of a well documented readme file (/usr/share/doc/chkrootkit-0.49/README) , on my CentOs 5 box. Use your favorite pager utility to read this file .
Set a cron job to run chkrootkit daily: 

  • vi /etc/cron.daily/chkrootkit
  • Insert the following text into the file
  • #!/bin/sh
    ) | /bin/mail -s ‘CHROOTKIT Daily Run (ServerNameHere)’ email@domain.com

  • chmod 700 /etc/cron.daily/chkrootkit
chkrootkit Perform a test run instantly
-p To use binaries from external sources , if you suspect that your system is compromised# chkrootkit -p /cdrom/bin 

It is possible to add more paths with a `:’

# chkrootkit -p /cdrom/bin:/floppy/mybin

-r Sometimes is a good idea to mount the disk from a compromised machine on a machine you trust.  Just mount the disk and specify a new rootdir with the `-r’ option.
-h Displays help screen with all options
-l Show all available tests

Further reading :

  • man pages for rkhunter and  README file for chkrootkit
  • rkhunter Project home page
  • chkrootkit Project home page


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s