Skip to main content
Welcome guest. | Register | Login | Post

How to scan your Linux-Distro for Root Kits

13 replies [Last post]
kanenas.net's picture
Offline
Joined: 2006-03-27

Do you suspect that you have a compromised system ?
Check now for root kits that the intruder may have installed !!!
So... What in the hell is a root kit ???
A root kit is a collection of programs that intruders often install after they have compromised the root account of a system.
These programs will help the intruders clean up their tracks, as well as provide access back into the system.
Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge !

Solution....
Scripts like chkrootkit will do the job for you automatically.

chkrootkit V. 0.46a

Nelson Murilo <nelson@pangeia.com.br> (main author)
Klaus Steding-Jessen <jessen@cert.br> (co-author)

This program locally checks for signs of a rootkit.
chkrootkit is available at: http://www.chkrootkit.org/

No illegal activities are encouraged!
I'm not responsible for anything you may do with it.

This tool includes software developed by the
DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp),and small portions of ifconfig developed by
Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>.

What's chkrootkit?
chkrootkit is a tool to locally check for signs of a rootkit. It contains:

* chkrootkit: a shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
and lastlog files, but it is *not* guaranteed that any modification will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations -- so it is also not guaranteed it will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).

OK ! Enough with the theory... Let 's do some dirty work now !

ATTENTION !!!
DO NOT install chkrootkit on your system and simply run it periodically.
An attacker may simply find the installation and change it so that it doesn't detect his presence.
Compile it and put it on removable or read-only media.

STEP 1
Download the Latest Source tarball (37140 bytes).
From shell run...
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

STEP 2
Then verify the tarball's MD5 signature.
From shell run...
# md5sum verify chkrootkit.tar.gz

STEP 3
Use tar to... unzip the source code.
From shell run...
# tar -xzf chkrootkit.tar.gz

STEP 4
Compile chrootkit.Go into the directory that it created and type from shell...
# make sense

STEP 5
Run chkrootkit from the directory it was built in.
From shell...
# ./chkrootkit

It will print each test that it performs and the result of the test:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
.
.
.
chkutmp: nothing deleted

Not very interesting ???
Thank God I am not infected !!!

chrootkit can also be run on disks mounted in another machine, just specify the mount point for the partition with the -r option :
# ./chrootkit -r /mnt/hda2_image

That's all...

I hope you are not infected too !!!

P.S
If you are not infected I think it is a good time to make a copy of your disk(s)...
Generate a checksum for the partition you wish to image, run from shell
# md5sum /dev/hdc2 > /tmp/hdc2.md5
To make the copy of the disk(s), we'll use the dd command. From shell...
# dd if=/dev/hdc of=/tmp/hdc.img
You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive.
This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc.
Write it to another hard disk !

supermike's picture
Offline
Joined: 2006-02-17

Anyone done this on Ubuntu or RH9? I've got two systems that I want to ensure are running fine. If there's anything in particular that needs to be done on either Ubuntu Breezy or RH9, let me know.

kanenas.net's picture
Offline
Joined: 2006-03-27

I have test it in my Fedora Core 3 !!!
I don't think it would be so different or difficult to test in other distros...

supermike's picture
Offline
Joined: 2006-02-17

Ran this on RH9 and got back:

warning, got bogus tcp line

This is coming back from netstat and I can see if visually if I run netstat myself. The script works the heck out of netstat. I don't know if this is a bug as is discussed here:

http://kbase.redhat.com/faq/FAQ_80_6180.shtm

or not.

dylunio's picture
Offline
Joined: 2005-12-20

Cool tutorial.

One point is if you have chrootkit on your system and your system is compramised, they may replace chrootkit with their own "everything's hunky dory" version, for this reason it's good practise to use absolute paths and even run somthing like this from a Live CD.

dylunio

kanenas.net's picture
Offline
Joined: 2006-03-27

supermike
In ... http://kbase.redhat.com/faq/FAQ_80_6180.shtm
I saw something that I didn't like !!!

Article Reference
Article ID: 6180
Last update: 09-09-05

and...
chkrootkit 0.46a is now available! (Release Date: Fri Oct 28 2005)

I suggest you visit..
http://www.chkrootkit.org/faq/
and try something like...
# ./chkrootkit -x | more

supermike's picture
Offline
Joined: 2006-02-17

When I do chkrootkit -x and quickly do CTRL+C after I get the "warning, got bogus tcp line", then scroll back, I see that the script was working against tcpd.debug and started posting this error, over and over again, after the line ".gnu_debuglink".

supermike's picture
Offline
Joined: 2006-02-17

On RH9, my netstat won't stop unless I do CTRL+C and seems to display things over and over along with the "warning, got bogus tcp line". I've bounced the web server and bounced the net card, but to no avail.

This, I think, is the reason why chkrootkit is not performing as expected.

supermike's picture
Offline
Joined: 2006-02-17

I finally found the source code for netstat when I discovered that netstat is part of net-tools, which are found here:

http://www.tazenda.demon.co.uk/phil/net-tools/

I did a wget to get the greatest .bz2 file for it, then downloaded it, bunzip2'd it, then untar'd it, then did ./Configure (capital C required), followed the questions (don't go with defaults!), and then did "make". It made the apps in the same directory but did not install them. Don't do "make install". Now I could edit netstat.c and comment out the fprintf line regarding "warning, got bogus tcp line" using /* and */ and then switch it to an ordinary printf with:

printf("warning, got bogus tcp line");

...and then did another "make" to recompile.

...and then did ./netstat.

The exception to this netstat, however, is that I can now grep out the tcp line with:

./netstat | grep -iv "warning, got bogus"

...whereas before, it was going to standard error.

The only problem I have now is that netstat seems to run forever and ever and ever. I read on the web here:

http://www.opensource.apple.com/darwinsource/Current/lsof-20/lsof/00QUICKSTART

...that this is why lsof will also fail.

So therefore, if I can just fix my netstat from looping continuously, then I can get this chkrootkit command to work properly.

supermike's picture
Offline
Joined: 2006-02-17

Ah, but running chkrootkit again claims that netstat is infected, when it is not because I read the sourcecode and recompiled it myself.

kanenas.net's picture
Offline
Joined: 2006-03-27

supermike...

From http://www.chkrootkit.org/faq/

6.How accurate is chkproc?

If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious.

Could it be something like this that is happening ???
I don't know what to say man !!!
Puzzled:

Doesn't anyone else, except from you and me, tried ???
Did they found something ???
I don't know...
:smt017

tbuitenh's picture
Offline
Joined: 2005-12-21
"dylunio" wrote: One point
&quot;dylunio&quot; wrote:

One point is if you have chrootkit on your system and your system is compramised, they may replace chrootkit with their own "everything's hunky dory" version, for this reason it's good practise to use absolute paths and even run somthing like this from a Live CD.

Which is why, months ago, I suggested it should be included in DONTPANIC Smiling

dylunio's picture
Offline
Joined: 2005-12-20

Yup, that's where I gained the information to say what I said Eye

supermike's picture
Offline
Joined: 200