How to scan your Linux-Distro for Root Kits
Check now for root kits that the intruder may have installed !!!
So... What in the hell is a root kit ???
A root kit is a collection of programs that intruders often install after they have compromised the root account of a system.
These programs will help the intruders clean up their tracks, as well as provide access back into the system.
Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge !
Scripts like chkrootkit will do the job for you automatically.
chkrootkit V. 0.46a
Nelson Murilo [[email protected]] (main author)
Klaus Steding-Jessen [[email protected]] (co-author)
This program locally checks for signs of a rootkit.
chkrootkit is available at: http://www.chkrootkit.org/
No illegal activities are encouraged! I'm not responsible for anything you may do with it.
This tool includes software developed by the DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp), and small portions of ifconfig developed by Fred N. van Kempen, [[email protected]].
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: a shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.
chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
and lastlog files, but it is *not* guaranteed that any modification
will be detected.
Aliens tries to find sniffer logs and rootkit config files. It looks
for some default file locations -- so it is also not guaranteed it
will succeed in all cases.
chkproc checks if /proc entries are hidden from ps and the readdir
system call. This could be the indication of a LKM trojan. You can
also run this command with the -v option (verbose).
OK ! Enough with the theory... Let 's do some dirty work now !
ATTENTION !!! DO NOT install chkrootkit on your system and simply run it periodically.
An attacker may simply find the installation and change it so that it doesn't detect his presence.
Compile it and put it on removable or read-only media.
Download the Latest Source tarball (37140 bytes).
From shell run...
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Then verify the tarball's MD5 signature.
From shell run...
# md5sum verify chkrootkit.tar.gz
tarto... unzip the source code.
From shell run...
# tar -xzf chkrootkit.tar.gz
Compile chrootkit.Go into the directory that it created and type from shell...
# make sense
Run chkrootkit from the directory it was built in. From shell...
It will print each test that it performs and the result of the test:
ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected . . . chkutmp: nothing deleted
Not very interesting ???
Thank God I am not infected !!!
chrootkit can also be run on disks mounted in another machine, just specify the mount point for the partition with the
# ./chrootkit -r /mnt/hda2_image
I hope you are not infected too !!!
If you are not infected I think it is a good time to make a copy of your disks...
Generate a checksum for the partition you wish to image, run from shell
# md5sum /dev/hdc2 > /tmp/hdc2.md5
To make the copy of the disk(s), we'll use the
ddcommand. From shell...
# dd if=/dev/hdc of=/tmp/hdc.img
You will need enough space in
/tmpto hold a copy of the entire
This means that
/tmpshouldn't be a RAM disk and should not be stored on
Write it to another hard disk !
See, more results !