Download Chkrootkit |VERIFIED|
Roselee Pando
Chkrootkit (Check Rootkit) is a widely used Unix-based utility designed to aid system administrators in examining their systems for rootkits. Operating as a shell script, it leverages common Unix/Linux tools such as the strings and grep command. The primary purpose is to scan core system programs for identifying signatures and to compare data obtained from traversal the /proc with the output derived from the ps (process status) command, aiming to identify inconsistencies. It offers flexibility in execution, allowing it to function from a rescue disc, often a live CD, and provides an optional alternative directory for executing its commands. These approaches enhance chkrootkit's reliance on the commands it employs.[1]
It's crucial to recognize the inherent limitations of any program that strives to detect compromises, including rootkits and malware. Modern rootkits might deliberately attempt to identify and target copies of the chkrootkit program, or adopt other strategies to elude detection by it.
I remember hearing about chkrootkit many years ago and thinking "huh, cool" but never saw it used anywhere in my career. It's super simple to run, but isn't it predictable? Couldn't rootkit authors just circumvent all the checks since they're all open source?
Tried to do the right thing and ran chkrootkit, as advised on the internet. It seems to have found something out of ordinary, but I don't know what any of this means. How to interpret this output? Should I panic?
So write little script that runs chkrootkit and redirects the output to a temp file, parse the temp file for the string "INFECTED" and if found; send an email with the relevant info to identify the host and add that temp file as an attachment, delete temp file.
Please note that an automated tool like chkrootkit can neverguarantee a system is uncompromised. Nor does every report alwayssignify a genuine problem: human judgement and further investigationwill always be needed to assure the security of your system.
One program in chkroot kit is ifpromisc. On Arch it is /opt/chkrootkit/ifpromisc . It is a stand alone program, just run it to find out more. (chkrootkit is just a shell script which calls this among other things).
You have installed chkrootkit and it's now running with daily cron, but unless you are logging in daily to check the logs, you won't know of any potential problems. Here's a simple way to have the daily report emailed to you with only postfix installed, using the sendmail command.
The search service can find package by either name (apache),provides(webserver), absolute file names (/usr/bin/apache),binaries (gprof) or shared libraries (libXm.so.2) instandard path. It does not support multiple arguments yet... The System and Arch are optional added filters, for exampleSystem could be "redhat", "redhat-7.2", "mandrake" or "gnome", Arch could be "i386" or "src", etc. depending on your system. System Arch RPM resource chkrootkitchkrootkit is a tool to locally check for signs of a rootkit.It contains: * chkrootkit: shell script that checks system binaries for rootkit modification. * ifpromisc: checks if the network interface is in promiscuous mode. * chklastlog: checks for lastlog deletions. * chkwtmp: checks for wtmp deletions. * chkproc: checks for signs of LKM trojans. * chkdirs: checks for signs of LKM trojans. * strings: quick and dirty strings replacement. * chkutmp: checks for utmp deletions.
The common denominator here is the lkm check; the number of hidden processes may change. The lkm test compares what proc says with what ps says. Some processes are short-lived and may die before the comparisons complete, making this test prone to false positives. If you receive a warning like this, double-check it by running just the relevant tests again (as root, chkrootkit ps lkm). If the second test is negative, you can consider the first report a false positive.
Start by moving the Chkrootkit directory to /usr/local/share. First, ensure that you are in the parent directory of the Chkrootkit directory (one level above chkrootkit-your-version-number). Then, execute the following command:
So I downloaded a fresh copy, installed it as a temporary VM, did the basic setup, and then installed chkrootkit with apt install, and ran it. It found the following (only including the stuff that is important):
TBH, I'm not particularly familiar with chkrootkit nor exactly how it works. Unfortunately, I couldn't find any clear documentation on how it determines whether a "bindshell" exists or not (although keep reading below for my interpretation of the source code). AFAIK a "bindshell" is an open shell which is awaiting connection from a remote host (i.e. an attacker) so is essentially a "trojan" of some sort.
Having a closer look at the source code of chkrootkit (see below grep command output) it appears that it simply checks for services listening on a predefined range of ports (i.e. list of ports separated with '' in the PORT variable within the 'bindshell' function):
After doing a bit of googling, it seems that port 12321 is a port commonly used by a number of trojans and only one (very old) legitimate application (not considering TurnKey's default use of this port). So it appears that all chkrootkit is doing is checking to see if a list of commonly abused ports are in use. In the case of TurnKey, port 12321 is in use, thus the false positive...
Chkrootkit is a popular security scanner that helps administrators look for signs when a system is infected with rootkits. You can use chkrootkit to find files and rules associated with rootkits, but you cannot be 100% sure that all rootkits will be found and removed.
You can add a cron entry to run chkrootkit automatically and send scan reports to your mail address. Create and add the following to /etc/cron.daily/chkrootkit-scan.sh .
Chkrootkit is a tool to perform rootkit checks. This most importantly contains a shell script called chkrootkit which scans all system binaries for any rootkit modifications. Additionally, it contains several C programs which performs various security checks as below:
In FAQ number 8 at the chkrootkit official website it is stated that they cannot whitelist false positives because an attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.
df19127ead