Home arrow BlueQuartz arrow Checking for Rootkits

Sections

Skating
Security
Technology
BlueQuartz
In The News
Musings
Procrastination
Downloads

Popular Articles

Latest Articles

Checking for Rootkits PDF Print
Monday, 21 August 2006

In the same vein my last post, here is page on installing chkrootkit and Rootkit Hunter on CentOS / BlueQuartz. 

A root kit is the name given to a piece of software written to try and elevate someones permissions to root level, commonly used by hackers/crackers/script kiddies to infect a system. There are many rootkit checkers however we are going to install two of the most common which are both are free and open source.  Some people prefer one over the other, I say, why not use both!

 

chkrootkit

The website is http://www.chkrootkit.org/ and the following is based on v0.47

  • # Pick a location
  • cd /usr/local
  • wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
  • tar zxvf chkrootkit.tar.gz
  • rm chkrootkit.tar.gz
  • # Fix the permissions
  • chown -R root:root chkrootkit-0.47
  • cd chkrootkit-0.47
  • make sense
  • # A quick tidy up
  • mkdir docs src
  • mv *.c Makefile src
  • mv READM* chkrootkit.lsm ACKNOWLEDGMENTS COPYRIGHT docs
  • ./chkrootkit -q > good.output 2>&1
  • # CHECK THE good.output FILE IS OK AND HAS A KNOWN GOOD OUTPUT
  • touch current.output
  • touch /etc/cron.daily/chkrootkit
  • chmod 755 /etc/cron.daily/chkrootkit
  • vi /etc/cron.daily/chkrootkit
  • # Place the following text in the file...

#!/bin/sh

SERVER=`hostname`

cd /usr/local/chkrootkit-0.47

rm current.output

./chkrootkit -q > current.output 2>&1

DIFF=`/usr/bin/diff current.output good.output`

ERRO=`/bin/cat current.output`

if [ "$DIFF" != "" ]

then

/usr/lib/sendmail -t << EOF

To: root

Subject: ${SERVER}: Chkrootkit Output

 

====> A diff between current and good output is:

 

$DIFF

 

====> The current output is:

 

$ERRO

 

EOF

fi

 

Rootkit Hunter

The website is http://www.rootkit.nl/projects/rootkit_hunter.html and the following is based on v1.2.8

  • # Use a working directory where you can execute code
  • cd /home/.tmp
  • wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
  • tar zxvf rkhunter-1.2.8.tar.gz
  • cd rkhunter
  • ./installer.sh
  • cd ..
  • rm -r rkhunter rkhunter-1.2.8.tar.gz
  • # Rootkit Hunter does however complain about the user root-admin.
  • # As far as I can tell there is no need for this user on BQ so I remove it.
  • userdel root-admin
  • touch /etc/cron.daily/rkhunter
  • chmod 755 /etc/cron.daily/rkhunter
  • vi /etc/cron.daily/rkhunter
  • # Place the following text in the file...

#!/bin/sh

SERVER=`hostname`

OUTPUT=`/usr/local/bin/rkhunter --versioncheck`

EXITCODE=$?

if [ ${EXITCODE} != 0 ]

then

echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root

fi

OUTPUT=`/usr/local/bin/rkhunter --update`

EXITCODE=$?

if [ ${EXITCODE} != 0 ]

then

echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root

fi

OUTPUT=`/usr/local/bin/rkhunter --cronjob --report-warnings-only`

EXITCODE=$?

if [ ${EXITCODE} != 0 ]

then

echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root

fi

I hope this is of help to people.

 
Last Updated ( Friday, 22 June 2007 )
 

My other websites

Share This

Now showing on my TV

  • Channel : 104 Channel 4
  • Program : Eddie Izzard: Dress to Kill
  • Episode :
  • Description : Eddie Izzard offers his comedic observations on everything from the history of Western culture to jihad.
  • Status : Not Recording