Scanning for rootkits with Rootcheck

Rootcheck is another great rootkit-checking tool for your Slice. You can never have too many.


Continuing our series on scanning for rootkits, we now concentrate on installing and configuring Rootcheck.

Rootcheck is open source rootkit detection and system auditing software. It scans the whole system looking for known rootkits. Using anomaly detection, it also searches for unknown (private or custom) and kernel-level rootkits. In addition, it checks your configuration for insecure options.

Rootcheck works in the same manner as chkrootkit and rkhunter (see these articles for chkrootkit and rkhunter) and also scans for other types of exploits.

Installation

Log into your slice and change to your "sources" directory:

cd ~/sources

Once there, download the latest version of rootcheck from the OSSEC's website:

wget http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz

Version 2.0 is the latest stable version but do check with the rootcheck's home page to see if a newer version is available.

Check the md5sum

An MD5 hash functions as a compact digital fingerprint for a file. md5sum is a command line utility that calculates and verifies 128-bit MD5 hashes.

Being good sysadmins we want to check the md5sum of the downloaded file before extracting it and installing it.

To find the md5 signature of the downloaded package:

md5sum rootcheck-2.0.tar.gz

Compare this with the signature available on the website. If the two signatures don't match it means the data got corrupted during the transfer. In that case you will need to re-download the tar.gz file and re-check with md5sum.

Extract

Once we're happy with our download we can extract the source code:

tar -zxvf rootcheck-2.0.tar.gz

Next we'll change to the newly-created directory:

cd rootcheck-2.0

Make

To install the code, simply issue the following command:

sudo make all

Scanning

Let's run it:

sudo ./ossec-rootcheck >results.txt

That command will run the rootcheck program and write the output to a file named "results.txt".

We can read that file in our favorite editor and analyze the results. The INFO messages are reported just for informational purposes and can generally be ignored.

Automation

It would be a good idea to have a cron job that runs daily and sends a small security report to your email account. Let's create a shell script for this cron job:

#!/bin/sh
cd /home/demo/sources/rootcheck-2.0
./ossec-rootcheck -c rootcheck.conf | mail -s 'rootcheck daily report' root@localhost

Don’t forget to replace root@localhost with your preferred e-mail address.

Save the file and call it something like 'rootcheckscript.sh'. Make the file executable:

chmod 750 rootcheckscript.sh

Now set a root cronjob as follows:

sudo crontab -e
20 3 * * *  /home/demo/sources/rootcheck-2.0/rootcheckcron.sh

That will run the command at 3:20am every day. Provided you have 'mail' installed and configured (see our email articles for help if needed), the results will be sent to the email address you specified.

Ismail

Article Comments:

Gnome commented Thu Mar 25 00:37:21 UTC 2010:

Thanks for the article. There are 3 rootkit checker articles. Which one do you suggest?

Ismail Guneydas commented Mon Mar 29 14:45:02 UTC 2010:

Gnome, if I would think your slice get comprimised, then I would run these 3 tools. I cannot say one tool is better than other.

Ismail Guneydas commented Mon Mar 29 14:46:28 UTC 2010:

^^your=my.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)