How to scan your Linux-Distro for Root Kits
Do you suspect that you have a compromised system ?
Check now for root kits that the intruder may have installed !!!
So... What in the hell is a root kit ???
A root kit is a collection of programs that intruders often install after they have compromised the root account of a system.
These programs will help the intruders clean up their tracks, as well as provide access back into the system.
Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge !
Scripts like chkrootkit will do the job for you automatically.
chkrootkit V. 0.46a
Nelson Murilo <email@example.com> (main author)
Klaus Steding-Jessen <firstname.lastname@example.org> (co-author)
This program locally checks for signs of a rootkit.
chkrootkit is available at: http://www.chkrootkit.org/
No illegal activities are encouraged!
I'm not responsible for anything you may do with it.
This tool includes software developed by the
DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp),and small portions of ifconfig developed by
Fred N. van Kempen, <email@example.com>.
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: a shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.
chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
and lastlog files, but it is *not* guaranteed that any modification will be detected.
Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations -- so it is also not guaranteed it will succeed in all cases.
chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).
OK ! Enough with the theory... Let 's do some dirty work now !
DO NOT install chkrootkit on your system and simply run it periodically.
An attacker may simply find the installation and change it so that it doesn't detect his presence.
Compile it and put it on removable or read-only media.
Download the Latest Source tarball (37140 bytes).
From shell run...
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Then verify the tarball's MD5 signature.
From shell run...
# md5sum verify chkrootkit.tar.gz
Use tar to... unzip the source code.
From shell run...
# tar -xzf chkrootkit.tar.gz
Compile chrootkit.Go into the directory that it created and type from shell...
# make sense
Run chkrootkit from the directory it was built in.
It will print each test that it performs and the result of the test:
ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected . . . chkutmp: nothing deleted
Not very interesting ???
Thank God I am not infected !!!
chrootkit can also be run on disks mounted in another machine, just specify the mount point for the partition with the -r option :
# ./chrootkit -r /mnt/hda2_image
I hope you are not infected too !!!
If you are not infected I think it is a good time to make a copy of your disk(s)...
Generate a checksum for the partition you wish to image, run from shell
# md5sum /dev/hdc2 > /tmp/hdc2.md5
To make the copy of the disk(s), we'll use the dd command. From shell...
# dd if=/dev/hdc of=/tmp/hdc.img
You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive.
This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc.
Write it to another hard disk !