Chkrootkit-Portsentry-Howto

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Mon, 2004-03-15 17:26. :: Security

Chkrootkit-Portsentry-Howto

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 03/15/2004

This document describes how to install chkrootkit and portsentry. It should work (maybe with slight changes concerning paths etc.) on all *nix operating systems.

Chkrootkit "is a tool to locally check for signs of a rootkit" (from http://www.chkrootkit.org).

"The Sentry tools provide host-level security services for the Unix platform. PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis" (from http://sourceforge.net/projects/sentrytools/).

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind!

1 Get the Sources

We need the following software: chkrootkit, portsentry and logcheck. We will install the software from the /tmp directory.

cd /tmp
wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/sentrytools/portsentry-1.2.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/sentrytools/logcheck-1.1.1.tar.gz

2 Install Chkrootkit

mv chkrootkit.tar.gz /usr/local/
cd /usr/local/
tar xvfz chkrootkit.tar.gz
ln -s chkrootkit-0.43/ chkrootkit
(replace 0.43 with the right version number)
cd chkrootkit/
make sense

You will now find the chkrootkit program under /usr/local/chkrootkit. Run it by typing

cd /usr/local/chkrootkit/ && ./chkrootkit

Your output will look something like this:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl/5.6.1/auto/Test/Harness/.packlist /usr/lib/perl/5.6.1/auto/DB_File/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:0: not promisc and no PF_PACKET sockets
eth0:1: not promisc and no PF_PACKET sockets
eth0:2: not promisc and no PF_PACKET sockets
eth0:3: not promisc and no PF_PACKET sockets
eth0:4: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted

If a worm, rootkit, etc. is found this is indicated by the string INFECTED (in capital letters).

If you want to get the output of chkrootkit once a day per email at 3 am you can put the following line in root's cron file (the location depends on your distribution; under Debian it is under /var/spool/cron/crontabs/root; you might also find it under /var/spool/cron/tabs/root or something similar):

0 3 * * * (cd /usr/local/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" me@myself.tld)

Then run

chmod 600 /var/spool/cron/crontabs/root
/etc/init.d/cron restart

3 Install Portsentry

cd /tmp
tar xvfz portsentry-1.2.tar.gz
cd portsentry_beta/
make linux
make install

Portsentry will be installed to /usr/local/psionic/portsentry/.

Edit /usr/local/psionic/portsentry/portsentry.conf and specify the ports you want portsentry to protect:

# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,[...]"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,[...]"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,[...]"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,[...]"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,[...]"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"

It should be ports that are not in use on the system. E.g., if you use IMAP (port 143 TCP) on the server you should remove 143 from the list above. The rest of portsentry.conf is well commented, but normally the default values should work.

Now we need to create an init script for portsentry (/etc/init.d/portsentry). We will run portsentry in advanced stealth mode as it is the most powerful way to detect portscans:

#!/bin/bash


case "$1" in
    start)
        echo "Starting Portsentry..."
        ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -atcp' | grep -iv 'grep' > /dev/null
        if [ $? != 0 ]; then
          /usr/local/psionic/portsentry/portsentry -atcp
        fi

        ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -audp' | grep -iv 'grep' > /dev/null
        if [ $? != 0 ]; then
          /usr/local/psionic/portsentry/portsentry -audp
        fi
        echo "Portsentry is now up and running!"
    ;;
    stop)
        echo "Shutting down Portsentry..."
        array=(`ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry' | grep -iv 'grep' \
                       | awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
        element_count=${#array[@]}
        index=0
        while [ "$index" -lt "$element_count" ]
        do
          kill -9 ${array[$index]}
          let "index = $index + 1"
        done
        echo "Portsentry stopped!"
    ;;
    restart)
        $0 stop  && sleep 3
        $0 start
    ;;
    *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac
exit 0

chmod 755 /etc/init.d/portsentry

In order to start portsentry at boot time do the following:

ln -s /etc/init.d/portsentry /etc/rc2.d/S20portsentry
ln -s /etc/init.d/
portsentry /etc/rc3.d/S20portsentry
ln -s /etc/init.d/
portsentry /etc/rc4.d/S20portsentry
ln -s /etc/init.d/
portsentry /etc/rc5.d/S20portsentry
ln -s /etc/init.d/
portsentry /etc/rc0.d/K20portsentry
ln -s /etc/init.d/
portsentry /etc/rc1.d/K20portsentry
ln -s /etc/init.d/
portsentry /etc/rc6.d/K20portsentry

Now we start portsentry:

/etc/init.d/portsentry start

Please note: If you run portsentry chkrootkit might complain about an infected bindshell:

Checking `bindshell'... INFECTED (PORTS: 31337)

This is normal and nothing to worry about.


4 Install Logcheck

cd /tmp
tar xvfz logcheck-1.1.1.tar.gz
cd logcheck-1.1.1/systems/<your system type, e.g. linux>

Now change the variable SYSADMIN in logcheck.sh. SYSADMIN is the person that will receive logcheck's output per email (this can be an email address or a user on the system where you install logcheck on):

[...]
# CONFIGURATION SECTION

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin

# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.

# Person to send log activity to.
SYSADMIN=me@myself.tld

# Full path to logtail program.
# This program is required to run this script and comes with the package.

LOGTAIL=/usr/local/bin/logtail
[...]


cd ../../
mkdir -p /usr/local/etc/tmp
make <your system type, e.g. linux>

This will install logcheck under /usr/local/etc.

Now we have to create a cron job in order to run logcheck periodically. Edit root's cron file (e.g. /var/spool/cron/crontabs/root, see section 2 "Install Chkrootkit") and enter the following line:

0 3 * * * /usr/local/etc/logcheck.sh

Then run

chmod 600 /var/spool/cron/crontabs/root
/etc/init.d/cron restart

This will invoke logcheck once a day at 3 am. It will now inform you about unusual system events, security violations, system attacks, etc. If your system is exposed directly to the internet you will notice that there are lots of malicious activities in the internet, and you will get a feeling why security is very important.

Links

Chkrootkit: http://www.chkrootkit.org/

Portsentry: http://sourceforge.net/projects/sentrytools/


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Wed, 2006-05-17 17:14.

I have written a better cron script, so thought would share it:

#!/bin/bash
SYSADMIN=youraddress@isp.com
TMPDIR=/tmp
HOSTNAME=`hostname`
DATE=`date "+%d/%m/%Y %H:%M"`
CHKROOTKIT=/usr/local/chkrootkit/chkrootkit
MAIL=mail

#
# Clean up before its runs
rm -f $TMPDIR/chkrootkit.$$
if [ -f $TMPDIR/chkrootkit.$$ ]; then
echo "Checkroot kit temp files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the checker." \
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
exit 1
fi

#
# Check for root kits
$CHKROOTKIT |grep INFECTED > $TMPDIR/chkrootkit.$$
if [ -s $TMPDIR/chkrootkit.$$ ]; then
cat $TMPDIR/chkrootkit.$$ | $MAIL -s "$DATE - ROOTKIT DETECTED ON $HOSTNAME!" $SYSADMIN
fi

# Clean Up
rm -f $TMPDIR/chkrootkit.$$

Cheers,
Max
www.intellectit.com.au