Knowledgebase: Dedicated Server Support
Installing Rootkit check (Scan for trojans/backdoor)
Posted by admin on 17 September 2009 11:32 PM
Installing Rootkit check (Scan for trojans/backdoor)|
"A kit for maintaining root"
"A root kit is a set of tools/programs used by an intruder after a succesful intrusion into a system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Malicious purposes includes but not limited to, a backdoor entry to the system, mask the fact that the system is compromised (by hiding logins, processes, logs etc.), tty monitoring and so on."
What it does
A typical rootkit includes a set of modified Unix tools such as "ps", "top", "netstat", "w", "passwd", "du", "find", "login", "syslogd" and "ifconfig". Those commands on execution would display normally except the processes run by cracker, thus allowing him to maintain "root" on the system without the system administrator even seeing them. A well designed rootkit hides logins, processes, and logs and often includes software to intercept data from terminals (tty monitors), network connections (modified nc), and the keyboard (keyloggers).
A rootkit may also include utilities, known as backdoors to help the attacker subsequently access the system more easily. For example, the rootkit may include an application that spawns a shell when the attacker connects to a particular network port on the system (a modified sshd server that spawns shell without even asking for password). Kernel root kits (LKM rootkits) may provide functionality that allows processes started by a nonpriviliged user to execute functions normally reserved for the superuser.
LKM's (Loadable Kernel Modules) are hard to find as it won't display in a lsmod, can't remove them when using rmmod and some gets tainted with kernel. Still most of them are detected by Rootkit checkers as they won't hide itself when we do a cat /proc/ksyms and cat /proc/modules on the system.
Where do they keep the rootkits
Once they gained the root access to your system, they can keep the files in any of the directories but the most common place is the /dev/ directory. Before asking me why /dev is a typical choice do an ls on /dev . They can also keep the rootkits and related binaries on /tmp, /dev/shm , /var/spool/samba and many other world writeable directories. The above mentioned directories are the most common place to keep the exploits on their way to gain root access.
As it's very difficult for us to look into each and every directory, that's where rootkit checkers come into picture. They are designed to check for known exploits/worms/rootkits as well as check for the signs of possible intrusion. It is not a preventative procedure in any way, and will not protect you from being cracked. It will however allow you to detect that it is already getting to be too late, before too much damage is done. Be aware that "Security is a process, not a product".
1. Download the chkrootkit and the md5sum from below URLs to /usr/local/share/.chkrootkit (mkdir -p /usr/local/share/.chkrootkit will create one if one doesn't exist already. I recommend using hidden (starting with period, . ) and creatively named directories.)
Chkrootkit --> ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
md5sum --> ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
2. Once downloaded check the md5sum by executing Code:
and compare it with the md5sum downloaded.
3. Extract and install
tar xvzf chkrootkit.tar.gz
cd chkrootkit* (Remove any old chkrootkit installations, if any)
4. You can now run the chkrootkit by executing Code:
. If you see notfound/not infected/no suspect files/nothing deleted then you are safe.
5. However, if your system is compromised, the system files on which chkrootkit depends may be modified by the rootkits in such a way as to hide the modifications, thus defeating the purpose of it's installation. So I recommend you to keep and use a local/safe copy of the binary files necessary to run Chkrootkit.
On a newly installed system, you can execute the below command to copy all the files necessary to run chkrootkit.
mkdir -p /usr/local/share/.safebin
cp -aL /bin/awk /usr/bin/cut /bin/egrep /usr/bin/find /usr/bin/head /usr/bin/id /bin/ls /bin/netstat /bin/ps /usr/bin/strings /bin/sed /bin/uname /bin/echo /usr/local/share/.safebin
tar cvzf safebin.tar.gz safebin
and keep a copy of safebin.tar.gz in your local computer and upload, extract and use it whenever you wish to run chkrootkit.
In such a case, where you keep your own binaries execute chkrootkit with the following options,
./chkrootkit -p /usr/local/share/.safebin
6. Running chkrootkits daily
I personally don't recommend running chkrootkits without any manual intervention. By simply running it periodically, you are alerting the attacker and he would change it so that it doesn't detect his presence.
Still, if you would like to proceed, use the cron service
and insert the below line in the file which opens up
0 1 * * * (cd /usr/local/share/.chkrootkit*; ./chkrootkit -p /usr/local/share/.safebin 2>&1 | mail -s "Chkrootkit output" email@example.com)
7. What each binaries do ?
chkrootkit - This is the master program
check_wtmpx - This checks your tmp dirs for problems
chkdirs - This recurses all directories looking for problems
chklastlog - This checks your lastlog to see if it's been "fixed"
chkproc - Checks the proc file system for trouble
chkwtmp - Checks for deleted entries.
chkutmp - Checks for hidden logins
ifpromisc - Checks to see if your nic has been made promiscous
strings-static - Does string checking for signatures.
Installing Rootkit hunter (RKhunter)
1. Download the latest version from http://downloads.rootkit.nl/. Latest version as of this writing is 1.2.5 at URL
It would be nice to subscribe to their release announcements at http://freshmeat.net/projects/rkhunter/
or the easy way Code:
2. Extract and install by typing the below commands
tar zxf rkhunter-1.2.5.tar.gz ; cd rkhunter ; ./installer.sh
3. Once you have successfully installed run rkhunter by typing the command
/usr/local/bin/rkhunter -c --createlogfile --skip-keypress
The log file is created at /var/log/rkhunter.log
4. Periodic run
and insert the below line in the file which opens up
0 1 * * * (/usr/local/bin/rkhunter -c --cronjob --report-mode --createlogfile --skip-keypress 2>&1 | mail -s "Daily Rkhunter Scan Report" firstname.lastname@example.org)
NB: Rkhunter have a few more checks when compared to chkrootkit, like checking /dev for suspicious files, application (version) scan, checking a few key files in /etc and the like.
 http://la-samhna.de/library/rootkits/detect.html - Samhain Labs explains
 http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html - An article from Sysadmin magazine
 http://vancouver-webpages.com/rkdet/ - Another RootKit checker
 http://www.securityfocus.com/infocus/1811 - GDB , an advanced RootKit checker
 http://www.chkrootkit.org - Homepage of Chkrootkit
 http://www.rootkit.nl - Homepage of RootKit Hunter
 http://www.ossec.net/rootcheck/ - One more RootKit checker
 http://www.sans.org/y2k/t0rn.htm - Analysis of the infamous T0rn rootkit