Scanning for rootkits with chkrootkit (DEPRECATED)

NOTE: This article has been updated. The new version can be reached via this link.

Up-to-date and secure installations, firewalls, limited ssh access and strong passwords are all basic and essential aspects of security.

But what about the content of your Slice? One method of monitoring content is to scan for rootkits.


Note

Scanning for rootkits will not stop them, it is not an active defence.

By saying that, I mean if your Slice has been compromised then a scan will not stop the rootkit and there is, to be blunt, not a lot you can do about it. By all means have a go but the general consensus is that if your server has been compromised then start again from fresh.

It would be worth finding out how the rootkit got into your server in the first place so it doesn't happen again but you are left with one option: reinstall.

So this article is about the scanning mechanism rather than how something may have entered your system. It is about checking the validity of the server content.

chkrootkit

Scanning is easily done with a programme called chkrootkit. This can also be automated so you don't have to log in and scan on a daily basis

We're going to install chkrootkit from source. It is available from most repositories but installing from source ensures we have not installed a compromised scanning system (it's been known to happen!).

Let's go. Log into your VPS and navigate to your sources directory (the sources directory can be placed anywhere. I like it in my admin home folder so no one else would have access to it and it is easily navigated):

cd ~/sources

Download

Download the latest chkrootkit version (this command will always fetch the latest version):

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

md5 check

To check that the file you have is the same file that chkrootkit.org intended you to have, check the md5 signature. To do this enter:

md5sum chkrootkit.tar.gz

This will create an output that is unique to the downloaded file - check this with the md5 signature which is available from a mirror website (see the note below):

http://www.reznor.com/tools/chkrootkit.md5

Note: You may notice that I have checked the md5sum from a different server. I'm not paranoid but with something as important as this I want to make sure I don't have a dodgy download (thanks Ron).

If the two don't match then you have a compromised download. You will notice as you download more and more source code that they all have md5 or other style of signatures for integrity checks.

Unpack

Unpack the download and move into the new directory:

tar xvfz chkrootkit.tar.gz
cd chkrootkit-0.47

In this example, I downloaded and unpacked version 0.47 - remember the download command above will always download the latest version.

Make

Now you need to compile the programme which will take less than 2 seconds:

make sense

You can keep the folder in your sources directory or move the whole thing elsewhere more convenient for you. In this example, I will keep it in the sources directory.

Run

To run the chkrootkit, simply give the command as the sudo user:

sudo ./chkrootkit

The output on my demo Slice gave the all clear but a warning may look something like this:

Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
You have 9 process hidden for readdir command
You have 11 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

Check the warnings and, as already said and as recommended, if you are infected you need to reinstall with a fresh image.

Automate

Naturally, all this can be automated with a cron job. As the procedure needs to be run as root, enter the root crontab configuration:

sudo crontab -e

The recommended method (from the chkrootkit website) is as follows:

0 3 * * * (cd /home/demo/sources/chkrootkit-0.47; ./chkrootkit 2>&1 | mail -s "chkrootkit output" admin@yourdomain.com)

That will run the command at 3am every day and, providing you have 'mail' installed and configured, email the results to the specified address.

PickledOnion.

Article Comments:

kematzy commented Fri Nov 16 20:46:26 UTC 2007:

PickledOnion:

Could you please elaborate on this part a bit more, as I don't understand what needs to be done here.

"...providing you have 'mail' installed and configured, email the results to the specified address."

On a basic Ubuntu install, is 'mail' installed and configured ?

James commented Sun Dec 02 21:24:13 UTC 2007:

You may want to remind people to change the "demo" and "admin@yourdomain.com" in the cron line.

James commented Sun Dec 02 21:52:51 UTC 2007:

Boo, I put my email address in the last comment. Mind deleting it and just leaving this one? Thanks!

I find it pretty monotonous to receive the same email every day, so instead my cron job is:

0 3 * * * (cd /home/demo/sources/chkrootkit-0.47; ./chkrootkit -q > message 2>&1; diff -w whitelist message | mail -es "chkrootkit output" yourname@yourdomain.com; rm -f message)

Differences are:

  • I run chkrootkit in quiet mode -q, so I only see the warnings chkrootkit reports.
  • I compare the output of chkrootkit to a whitelist file. chkrootkit always complains about a file in the actionpack gem, so I wrote a 'whitelist' file that includes only those lines of chrootkit's output that I want to ignore.
  • mail only sends me an email if the body of the email is non-empty, i.e. if chkrootkit reports a problem that I do not want to ignore.

Michael Hale commented Mon Mar 03 02:06:46 UTC 2008:

You can also run "md5sum -c chkrootkit.md5" to automatically compare the md5 signatures... saves on the eyes and the sanity :)

Tim commented Wed Apr 02 20:52:31 UTC 2008:

I see that if there are warnings that an report is sent to your email address. Is it also sent to the system log?

Dennis Clayton commented Mon Jul 21 14:36:58 UTC 2008:

On my Ubuntu 8.04 Slice, I had to install the "mailx" package to get the mailing of the chkrootkit report sent to me.

"apt-get install mailx"

Brian Kessler commented Mon Dec 15 03:36:58 UTC 2008:

The link for the alternate source of the md5 check seems to be broken.

Brad commented Wed Jan 13 16:29:43 UTC 2010:

After it is installed, how does one get latest update? I'm using CentOS.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)