What is a rootkit? The following link is a very good read to answer that question.

http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html

In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.

Usage:

1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense

Now scan your system:

1. cd /usr/local/chkrootkit
2. ./chkrootkit

chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.

Part 2 - automated chkrootkit, and emailed results.

I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

Usage:

1. vi /etc/cron.daily/chkrootkit
2. add the following code.

#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)

3. chmod 0755 /etc/cron.daily/chkrootkit


This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.

Removal:

If you don't like getting the emails or just want to remove this from your server:

1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit

All files will now be deleted from your server.

Regards,

Ryan.

Nice How-to only thing I found needs fixed is you should CD into /usr/local/chkrootkit before running make sense ;)

Damn, can't edit line 7 either =)..

Is there a mod that could be so kind?

Ryan

Nice how to ;)
You can consider to make a symlink in /usr/local for chkrootkit instead of copy every files from chkrootkit-0.?? to /usr/local/chkrootkit. In future if you are upgrading the chkrootkit, you just need to make the symlink to the most/latest version chkrootkit directory. For example:

1. Get chkrootkit tarball/source
wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz -P /root

2. Unpack the tarball to /usr/local
tar zxvf /root/chkrootkit.tar.gz -C /usr/local

3. make a symlink:
cd /usr/local
ln -s chkrootkit-?.?? chkrootkit
Replace ?.?? to the version directory you see such as ls /usr/local/chkrootkit*
Then continue as what you are doing ;)

Suggestion, report it to CL and indicate what changes you would like to make.

./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected

Read it at:
http://www.webhostingtalk.com/showthread.php?s=&threadid=224296

Thanks!

Good one... much thanks!!

Part 2 - automated chkrootkit, and emailed results.

I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

Usage:

1. vi /etc/cron.daily/chkrootkit
2. add the following code.


code:--------------------------------------------------------------------------------
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
--------------------------------------------------------------------------------


3. chmod 0755 /etc/cron.daily/chkrootkit


This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.

For people like me who hate vi and prefer pico instead, I'd just like to add this. It's how I added chkrootkit on my boxes and had it automated.

As superuser (su -)

pico -w /etc/cron.daily/chkrootkit.sh

Then add the following code.

#!/bin/bash
cd /path/to/where/you/installed/chkrootkit-0.43/
./chkrootkit | mail -s "chkrootkit output from whatever_server" admin@domain.com

Then:

Ctrl+X to exit then type Y to save

chmod 755 /etc/cron.daily/chkrootkit.sh

That chmod's the file to let you have the permissions to run the file.

Note in the above, it is chkrootkit 0.43... the current version as of this writing. If the versions change, simply change that. I added a couple of things based on something I read somewhere before (can't remember where, sorry) to add the "whatever_server" because if you have multiple servers, you of course want to know which server your output is coming from. So, change "whatever_server" to the name of your box. Change the admin email to your email address.

If you're upgrading from an older version, simply follow the how-to, rm -rf the old version and edit your chkrootkit.sh in cron.daily to email you the updates from the newer versions.

<edit>signature removed</edit>

to make the part 1 even more automatic copy the following into a shell script, chmod it +x and run as root
if will do same as part 1 from above, but only copy the binary files to /usr/local/chkrootkit

<code>
#!/bin/sh
mkdir /tmp/chkrootkit
cd /tmp/chkrootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xvzf chkrootkit.tar.gz
cd chkrootkit*
make sense
mkdir /usr/local/chkrootkit
cp chklastlog /usr/local/chkrootkit
cp chkwtmp /usr/local/chkrootkit
cp ifpromisc /usr/local/chkrootkit
cp chkproc /usr/local/chkrootkit
cp chkdirs /usr/local/chkrootkit
cp check_wtmpx /usr/local/chkrootkit
cp strings-static /usr/local/chkrootkit
cp chkrootkit /usr/local/chkrootkit
echo Now you can delete /tmp/chkrootkit
</code>

just so people are aware, doing *just* this wont find 100% of trojans, just the more obvious ones..

kernel trojans, memory trojans, bootsector trojans, process hijacking all exist, and you wont notice that things have changed with chkrootkit...

running chkrootkit as part of a wider security policy is better than relying just on the program

Would clamav also be able to detect the same trojans?

clamav detects virii, eg mydoom and the like

clamav detects (windows) virii, and not linux trojans/rootkits etc

okay thanks :)

i recommend that you check my thread here too:
http://www.webhostingtalk.com/showthread.php?s=&threadid=258941

Is this kinda output to my email good or...?

can't exec ./strings-static,
/var/www/mrtg/tcp.log

/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
/usr/lib/php/.registry
INFECTED (PORTS: 465)
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog

Thnx.

<<< Signature removed >>>

I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:
Checking `bindshell'... INFECTED (PORTS: 465)
Does anyone know what the problem is with this?

Originally posted by qubixx-be
I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:

Does anyone know what the problem is with this?

If you're running cPanel (I think it's cPanel), then it's nothing to worry about and wrong, lol.

<<< Signature removed >>>

Who the heck can think about putting a chkrootkit process into cron???
First thing that an an attacker with half a brain will do is look into root crontab to see what's going on.
Who the heck writes a security document and calls a cracker or a script kiddie - a hacker?

Originally posted by qubixx-be
I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:

Does anyone know what the problem is with this?

This is exim on port 465. Use netstat -anp to see.