Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software December 1, 2010Posted by Tournas Dimitrios in Linux.
This article is not an introduction for what a rootkit is , later I ‘ll provide you some links to articles that explains the basics and beyond . Lets get straight to the point , the 2 tools that will presented are not preventing or protecting your box from malicious intruders , they will be enabled by you to take action . If you suspect you’ve been hacked, this is a good first step toward confirmation and diagnosis . All rootkits serve the same purpose , that is, they prevent the intruder’s malicious software from showing screen output to the unsuspecting user, and they prevent the malicious software from leaving traces in the system logs. They also prevent the malicious software from showing up in a “ps” or “top” process list. The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access daemon . You can try the following tools to detect Linux rootkits:
- Chkrootkit Software
- rkhunter software
These tools are not installed by defauld on any Linux distro , so they must be installed “manually” . For CentOs these packages are delivered from the Epel repository . The installation is simple , just run the commands : “yum install chkrootkit ” and ” yum install rkhunter ” .
Chkrootkit and rkhunter invoke a handful of standard Linux commands , awk, cut, egrep, find, head , id, ls, netstat, ps, strings, sed, and uname. If these programs have been compromised on your system, chkrootkit‘s and rkhunter’s output cannot be trusted. So ideally, you should keep around a CD-ROM or write-protected floppy disk with these programs
Be sure to use the latest version of chkrootkit and rkhunter , which will be aware of the most recently discovered threats.
– rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.
|rkhunter swithes (run as root)
|– – check or -c||Type the following command to begin the diagnosis . After completion all results have been written to the logfile (/var/log/rkhunter.log)|
|–update||This option causes rkhunter to check if there is a later version of any of its text data files|
|–check –bindir /mnt/safe||tells rkhunter which directories to look in to find the various commands it requires|
|–propupd||If you do a test and it discovers some programs have changed but you are sure that the changes occurred as the result of an upgrade you will want to upgrade those changes with rkhunter so that it does not continually report those as problems . Note that rkhunter will only be able to tell you that changes have occurred not why they have changed, that is your responsibility to find out.|
|–cronjob||In order to run rkhunter as a cron job, or without user input, you must make a few modifications. Other wise, during the course of its scan, it will stop several times and ask the user to press “Enter”.|
|–list rootkits||This command option will list some of the supported capabilities of the program, and then exit. If combined with the rootkits option then it will lists the rootkits that rkhunter will search for. If no specific option is given, then all the
lists are displayed.
|-l, –logfile [file]||By default rkhunter will write out a log file. The default location of the file is /var/log/rkhunter.log. However, this location can be
changed by using this option. If /dev/null is specified as the log file, then no log file will be written. If no specific file is given, then the default will be used. By default rkhunter will create a new log file each time it is run. Any previously existing logfile is moved out of the way, and has .old appended to it.
chkrootkit: a shell script that checks system binaries for rootkit modification.
|chkrootkit command swithes (run as root)
|chkrootkit don’t include man pages , so run rpm -ql | grep README$ , this will return the location of a well documented readme file (/usr/share/doc/chkrootkit-0.49/README) , on my CentOs 5 box. Use your favorite pager utility to read this file .|
|Set a cron job to run chkrootkit daily:
|chkrootkit||Perform a test run instantly|
|-p||To use binaries from external sources , if you suspect that your system is compromised# chkrootkit -p /cdrom/bin
It is possible to add more paths with a `:’
# chkrootkit -p /cdrom/bin:/floppy/mybin
|-r||Sometimes is a good idea to mount the disk from a compromised machine on a machine you trust. Just mount the disk and specify a new rootdir with the `-r’ option.|
|-h||Displays help screen with all options|
|-l||Show all available tests|
Further reading :
- WRITING A SIMPLE ROOTKIT FOR LINUX
- Understanding Rootkits
- Testing of anti-rootkit software for the detection and removal of rootkits III