How to scan your Linux-Distro for Root Kits

Want to support HowtoForge? Become a subscriber!
 
Submitted by kanenas.net (Contact Author) (Forums) on Wed, 2006-05-10 17:59. :: Security
Do you suspect that you have a compromised system ?
Check now for root kits that the intruder may have installed !!!

So... What in the hell is a root kit ???
A root kit is a collection of programs that intruders often install after they have compromised the root account of a system.
These programs will help the intruders clean up their tracks, as well as provide access back into the system.
Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge !

Solution....
Scripts like chkrootkit will do the job for you automatically.

chkrootkit V. 0.46a

Nelson Murilo [nelson@pangeia.com.br] (main author)
Klaus Steding-Jessen [jessen@cert.br] (co-author)

This program locally checks for signs of a rootkit.
chkrootkit is available at: http://www.chkrootkit.org/

No illegal activities are encouraged! I'm not responsible for anything you may do with it.

This tool includes software developed by the DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp), and small portions of ifconfig developed by Fred N. van Kempen, [waltje@uwalt.nl.mugnet.org].


What's chkrootkit?
chkrootkit is a tool to locally check for signs of a rootkit. It contains:

* chkrootkit: a shell script that checks system binaries for rootkit modification.

* ifpromisc.c: checks if the network interface is in promiscuous mode.

* chklastlog.c: checks for lastlog deletions.

* chkwtmp.c: checks for wtmp deletions.

* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)

* chkproc.c: checks for signs of LKM trojans.

* chkdirs.c: checks for signs of LKM trojans.

* strings.c: quick and dirty strings replacement.

* chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
and lastlog files, but it is *not* guaranteed that any modification
will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks
for some default file locations -- so it is also not guaranteed it
will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir
system call. This could be the indication of a LKM trojan. You can
also run this command with the -v option (verbose).


OK ! Enough with the theory... Let 's do some dirty work now !

ATTENTION !!! DO NOT install chkrootkit on your system and simply run it periodically.
An attacker may simply find the installation and change it so that it doesn't detect his presence.
Compile it and put it on removable or read-only media.


STEP 1
Download the Latest Source tarball (37140 bytes).
From shell run...

# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz



STEP 2
Then verify the tarball's MD5 signature.
From shell run...

# md5sum verify chkrootkit.tar.gz



STEP 3
Use tar to... unzip the source code.
From shell run...

# tar -xzf chkrootkit.tar.gz



STEP 4
Compile chrootkit.Go into the directory that it created and type from shell...

# make sense



STEP 5
Run chkrootkit from the directory it was built in. From shell...

# ./chkrootkit



It will print each test that it performs and the result of the test:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
.
.
.
chkutmp: nothing deleted


Not very interesting ???
Thank God I am not infected !!!

chrootkit can also be run on disks mounted in another machine, just specify the mount point for the partition with the -r option :

# ./chrootkit -r /mnt/hda2_image



That's all...
I hope you are not infected too !!!

P.S
If you are not infected I think it is a good time to make a copy of your disks...
Generate a checksum for the partition you wish to image, run from shell

# md5sum /dev/hdc2 > /tmp/hdc2.md5



To make the copy of the disk(s), we'll use the dd command. From shell...

# dd if=/dev/hdc of=/tmp/hdc.img



You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive.
This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc.
Write it to another hard disk !
See, more results !
Related link...
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Sat, 2006-05-20 07:11.
Mandriva users will need to do :

urpmi glibc-static

To get the above instructions working.
Submitted by Anonymous (not registered) on Thu, 2009-10-29 13:03.

Thanks for the code.

 

Norton
Submitted by Anonymous (not registered) on Mon, 2006-05-15 14:42.

Another great tool for hacked boxes is rkhunter which is available here:

http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

Submitted by Anonymous (not registered) on Mon, 2006-05-15 13:35.

The cool thing about Debian (or Ubuntu) is that you can replace the above steps 1 to 4 by a simple "apt-get install chkrootkit". I also found the package rkhunter (which seems to do more), and might as well try both.

So a complete set of instructions would be:

apt-get install chkrootkit rkhunter
chkrootkit
rkhunter
That's all! (Oh, and rkhunter seems to be much more thorough than chkrootkit.)

Submitted by Anonymous (not registered) on Fri, 2006-05-12 02:17.

I don't think chkrootkit detect kernel-level rootkits. The only one I saw doing it is the

rootcheck ( www.ossec.net/rootcheck/ ) ..

Submitted by Anonymous (not registered) on Tue, 2006-05-16 11:43.
You might also want to checkout Rootkit Hunter - rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html). The Debian package comes with scripts to automatically run it as a daily cron job and to get updates on a weekly basis.
Submitted by Anonymous (not registered) on Mon, 2006-05-15 17:27.
Dont forget RKHunter... http://www.rootkit.nl/
Submitted by Anonymous (not registered) on Mon, 2006-05-15 17:22.
You might also want to checkout Rootkit Hunter - rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html). The Debian package comes with scripts to automatically run it as a daily cron job and to get updates on a weekly basis.
Submitted by Anonymous (not registered) on Tue, 2006-05-30 10:05.
A Debian package is nice and well, but as the original article says: You shouldn't run a rootkit checker from the system you're trying to check. It may be compromised. Run it from a Knoppix live-cd or, if you don't want to reboot, your own read-only usb-stick or cd.
Submitted by Anonymous (not registered) on Sun, 2006-06-11 20:33.
changing the directory's permission should do.
Submitted by greggster (registered user) on Tue, 2007-12-04 22:39.

no - changing the permissions wil not do - not secure or reliable at all.  Point of rootkits is hiding so running from the same server is not reliable.

 Until I get a read-only USB stick setup, the script lives on a NFS mounted directory - closer, but not quite as good as a read-only USB stick/CDROM.

Perhaps for now you could do a nightly download, complile and run.