Results 1 to 21 of 21
-
01-21-2004, 05:16 AM #1Junior Guru Wannabe
- Join Date
- Jan 2004
- Location
- Alberta, Canada
- Posts
- 88
How-to - Rootkit Scan (trojans etc)
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:#!/bin/bash (cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
Regards,
Ryan.Last edited by anon-e-mouse; 01-27-2004 at 03:39 AM.
-
01-21-2004, 10:50 AM #2Web Hosting Master
- Join Date
- Jul 2002
- Location
- Nashville, TN
- Posts
- 2,046
Nice How-to only thing I found needs fixed is you should CD into /usr/local/chkrootkit before running make sense
-
01-21-2004, 02:16 PM #3Junior Guru Wannabe
- Join Date
- Jan 2004
- Location
- Alberta, Canada
- Posts
- 88
Damn, can't edit line 7 either =)..
Is there a mod that could be so kind?
Ryan
-
01-21-2004, 09:20 PM #4Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Nice how to
You can consider to make a symlink in /usr/local for chkrootkit instead of copy every files from chkrootkit-0.?? to /usr/local/chkrootkit. In future if you are upgrading the chkrootkit, you just need to make the symlink to the most/latest version chkrootkit directory. For example:
1. Get chkrootkit tarball/source
Code:wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz -P /root
Code:tar zxvf /root/chkrootkit.tar.gz -C /usr/local
Code:cd /usr/local ln -s chkrootkit-?.?? chkrootkit
Then continue as what you are doing
Suggestion, report it to CL and indicate what changes you would like to make.
-
01-21-2004, 09:47 PM #5Web Hosting Master
- Join Date
- Oct 2000
- Location
- Toronto
- Posts
- 1,110
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expected
./chkrootkit: line 725: [: /var/www/cgi-bin: binary operator expectedLast edited by choon; 02-09-2004 at 08:48 PM.
-
01-21-2004, 10:06 PM #6Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
-
01-22-2004, 03:08 PM #7Web Hosting Master
- Join Date
- Oct 2000
- Location
- Toronto
- Posts
- 1,110
Thanks!
Last edited by choon; 02-09-2004 at 08:49 PM.
-
01-25-2004, 03:30 PM #8Retired Moderator
- Join Date
- Nov 2002
- Location
- WebHostingTalk
- Posts
- 8,901
Good one... much thanks!!
-
02-09-2004, 12:55 AM #9Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 4,305
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
code:--------------------------------------------------------------------------------
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
--------------------------------------------------------------------------------
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
As superuser (su -)
pico -w /etc/cron.daily/chkrootkit.sh
Then add the following code.
Code:#!/bin/bash cd /path/to/where/you/installed/chkrootkit-0.43/ ./chkrootkit | mail -s "chkrootkit output from whatever_server" admin@domain.com
Ctrl+X to exit then type Y to save
chmod 755 /etc/cron.daily/chkrootkit.sh
That chmod's the file to let you have the permissions to run the file.
Note in the above, it is chkrootkit 0.43... the current version as of this writing. If the versions change, simply change that. I added a couple of things based on something I read somewhere before (can't remember where, sorry) to add the "whatever_server" because if you have multiple servers, you of course want to know which server your output is coming from. So, change "whatever_server" to the name of your box. Change the admin email to your email address.
If you're upgrading from an older version, simply follow the how-to, rm -rf the old version and edit your chkrootkit.sh in cron.daily to email you the updates from the newer versions.
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:06 PM.
-
02-11-2004, 08:20 AM #10Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
to make the part 1 even more automatic copy the following into a shell script, chmod it +x and run as root
if will do same as part 1 from above, but only copy the binary files to /usr/local/chkrootkit
<code>
#!/bin/sh
mkdir /tmp/chkrootkit
cd /tmp/chkrootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xvzf chkrootkit.tar.gz
cd chkrootkit*
make sense
mkdir /usr/local/chkrootkit
cp chklastlog /usr/local/chkrootkit
cp chkwtmp /usr/local/chkrootkit
cp ifpromisc /usr/local/chkrootkit
cp chkproc /usr/local/chkrootkit
cp chkdirs /usr/local/chkrootkit
cp check_wtmpx /usr/local/chkrootkit
cp strings-static /usr/local/chkrootkit
cp chkrootkit /usr/local/chkrootkit
echo Now you can delete /tmp/chkrootkit
</code>
-
02-11-2004, 09:04 AM #11Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
just so people are aware, doing *just* this wont find 100% of trojans, just the more obvious ones..
kernel trojans, memory trojans, bootsector trojans, process hijacking all exist, and you wont notice that things have changed with chkrootkit...
running chkrootkit as part of a wider security policy is better than relying just on the program
-
02-11-2004, 02:11 PM #12Web Hosting Guru
- Join Date
- Nov 2003
- Posts
- 334
Would clamav also be able to detect the same trojans?
-
02-11-2004, 04:45 PM #13Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
clamav detects virii, eg mydoom and the like
-
02-11-2004, 06:30 PM #14Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
clamav detects (windows) virii, and not linux trojans/rootkits etc
-
02-11-2004, 09:40 PM #15Web Hosting Guru
- Join Date
- Nov 2003
- Posts
- 334
okay thanks
-
04-16-2004, 10:25 PM #16Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
i recommend that you check my thread here too:
http://www.webhostingtalk.com/showth...hreadid=258941
-
05-17-2004, 05:38 PM #17Disabled
- Join Date
- Apr 2004
- Posts
- 39
Is this kinda output to my email good or...?
can't exec ./strings-static,
/var/www/mrtg/tcp.log
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
/usr/lib/php/.registry
INFECTED (PORTS: 465)
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
<<< Signature removed >>>Last edited by choon; 05-17-2004 at 06:22 PM.
-
05-18-2004, 04:00 AM #18WHT Addict
- Join Date
- Mar 2004
- Posts
- 100
I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:
Checking `bindshell'... INFECTED (PORTS: 465)
-
05-18-2004, 06:29 AM #19Disabled
- Join Date
- Apr 2004
- Posts
- 39
Originally posted by qubixx-be
I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:
Does anyone know what the problem is with this?
<<< Signature removed >>>Last edited by choon; 05-18-2004 at 06:47 AM.
-
05-18-2004, 10:01 AM #20Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Who the heck can think about putting a chkrootkit process into cron???
First thing that an an attacker with half a brain will do is look into root crontab to see what's going on.
Who the heck writes a security document and calls a cracker or a script kiddie - a hacker?Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."
-
05-18-2004, 10:04 AM #21Aspiring Evangelist
- Join Date
- Oct 2002
- Location
- Tel-Aviv, Israel
- Posts
- 436
Originally posted by qubixx-be
I just installed chkrootkit, but when I do a scan, this line shows up between te other results that are looking good:
Does anyone know what the problem is with this?Uadm.com - Unix Administration, Security and Support.
http://www.uadm.com
"Unix is user friendly; it's just picky about who its friends are."