Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Join Date
    Jan 2004
    Location
    Alberta, Canada
    Posts
    76

    How-to - Rootkit Scan (trojans etc)

    What is a rootkit? The following link is a very good read to answer that question.

    http://linux.oreillynet.com/pub/a/li...4/rootkit.html

    In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.

    Usage:

    1. su - (change to root user)
    2. mkdir /usr/local/chkrootkit
    3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    4. tar -xvzf chkrootkit.tar.gz
    5. cd chkrootkit*
    6. cp * /usr/local/chkrootkit
    7. cd /usr/local/chkrootkit
    8. make sense

    Now scan your system:

    1. cd /usr/local/chkrootkit
    2. ./chkrootkit

    chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.

    Part 2 - automated chkrootkit, and emailed results.

    I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

    Usage:

    1. vi /etc/cron.daily/chkrootkit
    2. add the following code.
    Code:
    #!/bin/bash
    (cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
    3. chmod 0755 /etc/cron.daily/chkrootkit


    This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.

    Removal:

    If you don't like getting the emails or just want to remove this from your server:

    1. rm /etc/cron.daily/chkrootkit
    2. rm -rf /usr/local/chkrootkit

    All files will now be deleted from your server.

    Regards,

    Ryan.
    Last edited by anon-e-mouse; 01-27-2004 at 03:39 AM.

  2. #2
    Join Date
    Jul 2002
    Location
    Nashville, TN
    Posts
    2,043
    Nice How-to only thing I found needs fixed is you should CD into /usr/local/chkrootkit before running make sense

  3. #3
    Join Date
    Jan 2004
    Location
    Alberta, Canada
    Posts
    76
    Damn, can't edit line 7 either =)..

    Is there a mod that could be so kind?

    Ryan

  4. #4
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Nice how to
    You can consider to make a symlink in /usr/local for chkrootkit instead of copy every files from chkrootkit-0.?? to /usr/local/chkrootkit. In future if you are upgrading the chkrootkit, you just need to make the symlink to the most/latest version chkrootkit directory. For example:

    1. Get chkrootkit tarball/source
    Code:
    wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz -P /root
    2. Unpack the tarball to /usr/local
    Code:
    tar zxvf /root/chkrootkit.tar.gz -C /usr/local
    3. make a symlink:
    Code:
    cd /usr/local
    ln -s chkrootkit-?.?? chkrootkit
    Replace ?.?? to the version directory you see such as ls /usr/local/chkrootkit*
    Then continue as what you are doing

    Suggestion, report it to CL and indicate what changes you would like to make.

  5. #5
    Join Date
    Oct 2000
    Location
    Toronto
    Posts
    1,103
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    ./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
    Last edited by choon; 02-09-2004 at 08:48 PM.

  6. #6
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790

  7. #7
    Join Date
    Oct 2000
    Location
    Toronto
    Posts
    1,103
    Thanks!
    Last edited by choon; 02-09-2004 at 08:49 PM.

  8. #8
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,812
    Good one... much thanks!!

  9. #9
    Part 2 - automated chkrootkit, and emailed results.

    I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

    Usage:

    1. vi /etc/cron.daily/chkrootkit
    2. add the following code.


    code:--------------------------------------------------------------------------------
    #!/bin/bash
    (cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
    --------------------------------------------------------------------------------


    3. chmod 0755 /etc/cron.daily/chkrootkit


    This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
    For people like me who hate vi and prefer pico instead, I'd just like to add this. It's how I added chkrootkit on my boxes and had it automated.

    As superuser (su -)

    pico -w /etc/cron.daily/chkrootkit.sh

    Then add the following code.

    Code:
    #!/bin/bash 
    cd /path/to/where/you/installed/chkrootkit-0.43/ 
    ./chkrootkit | mail -s "chkrootkit output from whatever_server" admin@domain.com
    Then:

    Ctrl+X to exit then type Y to save

    chmod 755 /etc/cron.daily/chkrootkit.sh

    That chmod's the file to let you have the permissions to run the file.

    Note in the above, it is chkrootkit 0.43... the current version as of this writing. If the versions change, simply change that. I added a couple of things based on something I read somewhere before (can't remember where, sorry) to add the "whatever_server" because if you have multiple servers, you of course want to know which server your output is coming from. So, change "whatever_server" to the name of your box. Change the admin email to your email address.

    If you're upgrading from an older version, simply follow the how-to, rm -rf the old version and edit your chkrootkit.sh in cron.daily to email you the updates from the newer versions.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:06 PM.

  10. #10
    Join Date
    Jun 2003
    Posts
    961
    to make the part 1 even more automatic copy the following into a shell script, chmod it +x and run as root
    if will do same as part 1 from above, but only copy the binary files to /usr/local/chkrootkit

    <code>
    #!/bin/sh
    mkdir /tmp/chkrootkit
    cd /tmp/chkrootkit
    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    tar -xvzf chkrootkit.tar.gz
    cd chkrootkit*
    make sense
    mkdir /usr/local/chkrootkit
    cp chklastlog /usr/local/chkrootkit
    cp chkwtmp /usr/local/chkrootkit
    cp ifpromisc /usr/local/chkrootkit
    cp chkproc /usr/local/chkrootkit
    cp chkdirs /usr/local/chkrootkit
    cp check_wtmpx /usr/local/chkrootkit
    cp strings-static /usr/local/chkrootkit
    cp chkrootkit /usr/local/chkrootkit
    echo Now you can delete /tmp/chkrootkit
    </code>

  11. #11
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    just so people are aware, doing *just* this wont find 100% of trojans, just the more obvious ones..

    kernel trojans, memory trojans, bootsector trojans, process hijacking all exist, and you wont notice that things have changed with chkrootkit...

    running chkrootkit as part of a wider security policy is better than relying just on the program

  12. #12
    Join Date
    Nov 2003
    Posts
    320
    Would clamav also be able to detect the same trojans?

  13. #13
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    clamav detects virii, eg mydoom and the like

  14. #14
    Join Date
    Jun 2003
    Posts
    961
    clamav detects (windows) virii, and not linux trojans/rootkits etc

  15. #15
    Join Date
    Nov 2003
    Posts
    320
    okay thanks

Page 1 of 2 12 LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •