Results 1 to 21 of 21
  1. #1
    Join Date
    Jan 2004
    Location
    Alberta, Canada
    Posts
    88

    How-to - Rootkit Scan (trojans etc)

    What is a rootkit? The following link is a very good read to answer that question.

    http://linux.oreillynet.com/pub/a/li...4/rootkit.html

    In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.

    Usage:

    1. su - (change to root user)
    2. mkdir /usr/local/chkrootkit
    3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    4. tar -xvzf chkrootkit.tar.gz
    5. cd chkrootkit*
    6. cp * /usr/local/chkrootkit
    7. cd /usr/local/chkrootkit
    8. make sense

    Now scan your system:

    1. cd /usr/local/chkrootkit
    2. ./chkrootkit

    chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.

    Part 2 - automated chkrootkit, and emailed results.

    I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

    Usage:

    1. vi /etc/cron.daily/chkrootkit
    2. add the following code.
    Code:
    #!/bin/bash
    (cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
    3. chmod 0755 /etc/cron.daily/chkrootkit


    This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.

    Removal:

    If you don't like getting the emails or just want to remove this from your server:

    1. rm /etc/cron.daily/chkrootkit
    2. rm -rf /usr/local/chkrootkit

    All files will now be deleted from your server.

    Regards,

    Ryan.
    Last edited by anon-e-mouse; 01-27-2004 at 03:39 AM.

  2. #2
    Join Date
    Jul 2002
    Location
    Nashville, TN
    Posts
    2,046
    Nice How-to only thing I found needs fixed is you should CD into /usr/local/chkrootkit before running make sense

  3. #3
    Join Date
    Jan 2004
    Location
    Alberta, Canada
    Posts
    88
    Damn, can't edit line 7 either =)..

    Is there a mod that could be so kind?

    Ryan

  4. #4
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Nice how to
    You can consider to make a symlink in /usr/local for chkrootkit instead of copy every files from chkrootkit-0.?? to /usr/local/chkrootkit. In future if you are upgrading the chkrootkit, you just need to make the symlink to the most/latest version chkrootkit directory. For example:

    1. Get chkrootkit tarball/source
    Code:
    wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz -P /root
    2. Unpack the tarball to /usr/local
    Code:
    tar zxvf /root/chkrootkit.tar.gz -C /usr/local
    3. make a symlink:
    Code:
    cd /usr/local
    ln -s chkrootkit-?.?? chkrootkit
    Replace ?.?? to the version directory you see such as ls /usr/local/chkrootkit*
    Then continue as what you are doing

    Suggestion, report it to CL and indicate what changes you would like to make.

  5. #5
    Join Date
    Oct 2000
    Location
    Toronto
    Posts
    1,110
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    Last edited by choon; 02-09-2004 at 08:48 PM.

  6. #6
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889

  7. #7
    Join Date
    Oct 2000
    Location
    Toronto
    Posts
    1,110
    Thanks!
    Last edited by choon; 02-09-2004 at 08:49 PM.

  8. #8
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,901
    Good one... much thanks!!

  9. #9
    Part 2 - automated chkrootkit, and emailed results.

    I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

    Usage:

    1. vi /etc/cron.daily/chkrootkit
    2. add the following code.


    code:--------------------------------------------------------------------------------
    #!/bin/bash
    (cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
    --------------------------------------------------------------------------------


    3. chmod 0755 /etc/cron.daily/chkrootkit


    This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
    For people like me who hate vi and prefer pico instead, I'd just like to add this. It's how I added chkrootkit on my boxes and had it automated.

    As superuser (su -)

    pico -w /etc/cron.daily/chkrootkit.sh

    Then add the following code.

    Code:
    #!/bin/bash 
    cd /path/to/where/you/installed/chkrootkit-0.43/ 
    ./chkrootkit | mail -s "chkrootkit output from whatever_server" admin@domain.com
    Then:

    Ctrl+X to exit then type Y to save

    chmod 755 /etc/cron.daily/chkrootkit.sh

    That chmod's the file to let you have the permissions to run the file.

    Note in the above, it is chkrootkit 0.43... the current version as of this writing. If the versions change, simply change that. I added a couple of things based on something I read somewhere before (can't remember where, sorry) to add the "whatever_server" because if you have multiple servers, you of course want to know which server your output is coming from. So, change "whatever_server" to the name of your box. Change the admin email to your email address.

    If you're upgrading from an older version, simply follow the how-to, rm -rf the old version and edit your chkrootkit.sh in cron.daily to email you the updates from the newer versions.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:06 PM.

  10. #10
    Join Date
    Jun 2003
    Posts
    976
    to make the part 1 even more automatic copy the following into a shell script, chmod it +x and run as root
    if will do same as part 1 from above, but only copy the binary files to /usr/local/chkrootkit

    <code>
    #!/bin/sh
    mkdir /tmp/chkrootkit
    cd /tmp/chkrootkit
    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    tar -xvzf chkrootkit.tar.gz
    cd chkrootkit*
    make sense
    mkdir /usr/local/chkrootkit
    cp chklastlog /usr/local/chkrootkit
    cp chkwtmp /usr/local/chkrootkit
    cp ifpromisc /usr/local/chkrootkit
    cp chkproc /usr/local/chkrootkit
    cp chkdirs /usr/local/chkrootkit
    cp check_wtmpx /usr/local/chkrootkit
    cp strings-static /usr/local/chkrootkit
    cp chkrootkit /usr/local/chkrootkit
    echo Now you can delete /tmp/chkrootkit
    </code>

  11. #11
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,569
    just so people are aware, doing *just* this wont find 100% of trojans, just the more obvious ones..

    kernel trojans, memory trojans, bootsector trojans, process hijacking all exist, and you wont notice that things have changed with chkrootkit...

    running chkrootkit as part of a wider security policy is better than relying just on the program

  12. #12
    Join Date
    Nov 2003
    Posts
    334
    Would clamav also be able to detect the same trojans?

  13. #13
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,569
    clamav detects virii, eg mydoom and the like

  14. #14
    Join Date
    Jun 2003
    Posts
    976
    clamav detects (windows) virii, and not linux trojans/rootkits etc

  15. #15
    Join Date
    Nov 2003
    Posts
    334
    okay thanks

  16. #16
    Join Date
    Feb 2004
    Posts
    1,269
    i recommend that you check my thread here too:
    http://www.webhostingtalk.com/showth...hreadid=258941

  17. #17
    Is this kinda output to my email good or...?

    can't exec ./strings-static,
    /var/www/mrtg/tcp.log

    /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
    /usr/lib/php/.registry
    INFECTED (PORTS: 465)
    not tested: can't exec ./ifpromisc
    not tested: can't exec ./chkwtmp
    not tested: can't exec ./chklastlog
    Thnx.

    <<< Signature removed >>>
    Last edited by choon; 05-17-2004 at 06:22 PM.

  18. #18
    I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:
    Checking `bindshell'... INFECTED (PORTS: 465)
    Does anyone know what the problem is with this?

  19. #19
    Originally posted by qubixx-be
    I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:

    Does anyone know what the problem is with this?
    If you're running cPanel (I think it's cPanel), then it's nothing to worry about and wrong, lol.

    <<< Signature removed >>>
    Last edited by choon; 05-18-2004 at 06:47 AM.

  20. #20
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Who the heck can think about putting a chkrootkit process into cron???
    First thing that an an attacker with half a brain will do is look into root crontab to see what's going on.
    Who the heck writes a security document and calls a cracker or a script kiddie - a hacker?
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  21. #21
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Originally posted by qubixx-be
    I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:

    Does anyone know what the problem is with this?
    This is exim on port 465. Use netstat -anp to see.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •