Comments on How to scan your Linux-Distro for Root Kits

How to scan your Linux-Distro for Root Kits Do you suspect that you have a compromised system ? Check now for root kits that the intruder may have installed !!! So... What in the hell is a root kit ??? A root kit is a collection of programs that intruders often install after they have compromised the root account of a system. These programs will help the intruders clean up their tracks, as well as provide access back into the system. Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge !

12 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous
Reply  

I don't think chkrootkit detect kernel-level rootkits. The only one I saw doing it is the

rootcheck ( www.ossec.net/rootcheck/ ) ..

By: Anonymous
Reply  

You might also want to checkout Rootkit Hunter - rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html). The Debian package comes with scripts to automatically run it as a daily cron job and to get updates on a weekly basis.

By: Anonymous
Reply  

A Debian package is nice and well, but as the original article says: You shouldn't run a rootkit checker from the system you're trying to check. It may be compromised. Run it from a Knoppix live-cd or, if you don't want to reboot, your own read-only usb-stick or cd.

By: Anonymous
Reply  

Dont forget RKHunter... http://www.rootkit.nl/

By: Anonymous
Reply  

You might also want to checkout Rootkit Hunter - rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html). The Debian package comes with scripts to automatically run it as a daily cron job and to get updates on a weekly basis.

By: Anonymous
Reply  

Mandriva users will need to do :

urpmi glibc-static

To get the above instructions working.

By: Anonymous
Reply  

Thanks for the code.

 

Norton

By: Anonymous
Reply  

The cool thing about Debian (or Ubuntu) is that you can replace the above steps 1 to 4 by a simple "apt-get install chkrootkit". I also found the package rkhunter (which seems to do more), and might as well try both.

So a complete set of instructions would be:

apt-get install chkrootkit rkhunter
chkrootkit
rkhunter
That's all! (Oh, and rkhunter seems to be much more thorough than chkrootkit.)

By: Anonymous
Reply  

Another great tool for hacked boxes is rkhunter which is available here:

http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

By: Anonymous
Reply  

changing the directory's permission should do.

By:
Reply  

no - changing the permissions wil not do - not secure or reliable at all.  Point of rootkits is hiding so running from the same server is not reliable.

 Until I get a read-only USB stick setup, the script lives on a NFS mounted directory - closer, but not quite as good as a read-only USB stick/CDROM.

Perhaps for now you could do a nightly download, complile and run.

By: Elmar Stellnberger
Reply  

If you are using Debian or a Debian based distribution like Ubuntu then debcheckroot may be the tool you are looking for: https://www.elstel.org/debcheckroot/ It has good critics on the debian-security mailing list and a unique mode of operation: Instead of comparing for the signature of a set of known rootkits it spots file alterations (direct or via sha256sums) by comparison with the packages of your install media/ online repo.