hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Hosting Talk Tutorials : Hosting Security and Technology Tutorials : How-to - Rootkit Scan (trojans etc)
Reply

Forum Jump

How-to - Rootkit Scan (trojans etc)

Reply Post New Thread In Hosting Security and Technology Tutorials Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Jan 2004
Location: Alberta, Canada
Posts: 76

How-to - Rootkit Scan (trojans etc)


What is a rootkit? The following link is a very good read to answer that question.

http://linux.oreillynet.com/pub/a/li...4/rootkit.html

In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.

Usage:

1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense

Now scan your system:

1. cd /usr/local/chkrootkit
2. ./chkrootkit

chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.

Part 2 - automated chkrootkit, and emailed results.

I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

Usage:

1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit


This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.

Removal:

If you don't like getting the emails or just want to remove this from your server:

1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit

All files will now be deleted from your server.

Regards,

Ryan.


Last edited by anon-e-mouse; 01-27-2004 at 03:39 AM.


Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Jul 2002
Location: Nashville, TN
Posts: 2,043
Nice How-to only thing I found needs fixed is you should CD into /usr/local/chkrootkit before running make sense

  #3  
Old
Junior Guru Wannabe
 
Join Date: Jan 2004
Location: Alberta, Canada
Posts: 76
Damn, can't edit line 7 either =)..

Is there a mod that could be so kind?

Ryan

Sponsored Links
  #4  
Old
Retired Moderator
 
Join Date: Jul 2001
Location: Singapore
Posts: 1,790
Nice how to
You can consider to make a symlink in /usr/local for chkrootkit instead of copy every files from chkrootkit-0.?? to /usr/local/chkrootkit. In future if you are upgrading the chkrootkit, you just need to make the symlink to the most/latest version chkrootkit directory. For example:

1. Get chkrootkit tarball/source
Code:
wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz -P /root
2. Unpack the tarball to /usr/local
Code:
tar zxvf /root/chkrootkit.tar.gz -C /usr/local
3. make a symlink:
Code:
cd /usr/local
ln -s chkrootkit-?.?? chkrootkit
Replace ?.?? to the version directory you see such as ls /usr/local/chkrootkit*
Then continue as what you are doing

Suggestion, report it to CL and indicate what changes you would like to make.

  #5  
Old
Web Hosting Master
 
Join Date: Oct 2000
Location: Toronto
Posts: 1,103
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected


Last edited by choon; 02-09-2004 at 08:48 PM.
  #6  
Old
Retired Moderator
 
Join Date: Jul 2001
Location: Singapore
Posts: 1,790

  #7  
Old
Web Hosting Master
 
Join Date: Oct 2000
Location: Toronto
Posts: 1,103
Thanks!


Last edited by choon; 02-09-2004 at 08:49 PM.
  #8  
Old
Community Liaison
 
Join Date: Nov 2002
Location: WebHostingTalk
Posts: 8,778
Good one... much thanks!!

  #9  
Old
Web Hosting Master
 
Join Date: Dec 2002
Posts: 4,304
Quote:
Part 2 - automated chkrootkit, and emailed results.

I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.

Usage:

1. vi /etc/cron.daily/chkrootkit
2. add the following code.


code:--------------------------------------------------------------------------------
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
--------------------------------------------------------------------------------


3. chmod 0755 /etc/cron.daily/chkrootkit


This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
For people like me who hate vi and prefer pico instead, I'd just like to add this. It's how I added chkrootkit on my boxes and had it automated.

As superuser (su -)

pico -w /etc/cron.daily/chkrootkit.sh

Then add the following code.

Code:
#!/bin/bash 
cd /path/to/where/you/installed/chkrootkit-0.43/ 
./chkrootkit | mail -s "chkrootkit output from whatever_server" admin@domain.com
Then:

Ctrl+X to exit then type Y to save

chmod 755 /etc/cron.daily/chkrootkit.sh

That chmod's the file to let you have the permissions to run the file.

Note in the above, it is chkrootkit 0.43... the current version as of this writing. If the versions change, simply change that. I added a couple of things based on something I read somewhere before (can't remember where, sorry) to add the "whatever_server" because if you have multiple servers, you of course want to know which server your output is coming from. So, change "whatever_server" to the name of your box. Change the admin email to your email address.

If you're upgrading from an older version, simply follow the how-to, rm -rf the old version and edit your chkrootkit.sh in cron.daily to email you the updates from the newer versions.

<edit>signature removed</edit>


Last edited by choon; 02-09-2004 at 09:06 PM.
  #10  
Old
Web Hosting Master
 
Join Date: Jun 2003
Posts: 962
to make the part 1 even more automatic copy the following into a shell script, chmod it +x and run as root
if will do same as part 1 from above, but only copy the binary files to /usr/local/chkrootkit

<code>
#!/bin/sh
mkdir /tmp/chkrootkit
cd /tmp/chkrootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xvzf chkrootkit.tar.gz
cd chkrootkit*
make sense
mkdir /usr/local/chkrootkit
cp chklastlog /usr/local/chkrootkit
cp chkwtmp /usr/local/chkrootkit
cp ifpromisc /usr/local/chkrootkit
cp chkproc /usr/local/chkrootkit
cp chkdirs /usr/local/chkrootkit
cp check_wtmpx /usr/local/chkrootkit
cp strings-static /usr/local/chkrootkit
cp chkrootkit /usr/local/chkrootkit
echo Now you can delete /tmp/chkrootkit
</code>

  #11  
Old
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
just so people are aware, doing *just* this wont find 100% of trojans, just the more obvious ones..

kernel trojans, memory trojans, bootsector trojans, process hijacking all exist, and you wont notice that things have changed with chkrootkit...

running chkrootkit as part of a wider security policy is better than relying just on the program

  #12  
Old
Web Hosting Guru
 
Join Date: Nov 2003
Posts: 320
Would clamav also be able to detect the same trojans?

  #13  
Old
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
clamav detects virii, eg mydoom and the like

  #14  
Old
Web Hosting Master
 
Join Date: Jun 2003
Posts: 962
clamav detects (windows) virii, and not linux trojans/rootkits etc

  #15  
Old
Web Hosting Guru
 
Join Date: Nov 2003
Posts: 320
okay thanks

Reply

Related posts from TheWhir.com
Title Type Date Posted
UK National Crime Agency Arrests Hackers Using Remote Access Trojans Web Hosting News 2014-11-21 12:26:58
Linux Malware Operation Windigo Infects 25,000 Web Servers Web Hosting News 2014-03-19 11:44:53
Hetzner Security Breach Exposes Customer Passwords, Payment Information Web Hosting News 2013-06-07 11:20:12
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08
Microsoft Sees Largest Gain in Host Names in December 2012 Netcraft Web Server Survey Web Hosting News 2012-12-05 13:38:09


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?