In the same vein my last post, here is page on installing chkrootkit and Rootkit Hunter on CentOS / BlueQuartz.
A root kit is the name given to a piece of software written to try and elevate someone’s permissions to root level, commonly used by hackers/crackers/script kiddies to infect a system. There are many rootkit checkers however we are going to install two of the most common which are both are free and open source. Some people prefer one over the other, I say, why not use both!
chkrootkit
The website is http://www.chkrootkit.org/ and the following is based on v0.47
# Pick a location cd /usr/local wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar zxvf chkrootkit.tar.gz rm chkrootkit.tar.gz # Fix the permissions chown -R root:root chkrootkit-0.47 cd chkrootkit-0.47 make sense # A quick tidy up mkdir docs src mv *.c Makefile src mv READM* chkrootkit.lsm ACKNOWLEDGMENTS COPYRIGHT docs ./chkrootkit -q > good.output 2>&1 # CHECK THE good.output FILE IS OK AND HAS A KNOWN GOOD OUTPUT touch current.output touch /etc/cron.daily/chkrootkit chmod 755 /etc/cron.daily/chkrootkit vi /etc/cron.daily/chkrootkit # Place the following text in the file... #!/bin/sh SERVER=`hostname` cd /usr/local/chkrootkit-0.47 rm current.output ./chkrootkit -q > current.output 2>&1 DIFF=`/usr/bin/diff current.output good.output` ERRO=`/bin/cat current.output` if [ "$DIFF" != "" ] then /usr/lib/sendmail -t << EOF To: root Subject: ${SERVER}: Chkrootkit Output ====> A diff between current and good output is: $DIFF ====> The current output is: $ERRO EOF fi
Rootkit Hunter
The website is http://www.rootkit.nl/projects/rootkit_hunter.html http://rkhunter.sourceforge.net/ and the following is based on v1.2.8
# Use a working directory where you can execute code cd /home/.tmp wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz tar zxvf rkhunter-1.2.8.tar.gz cd rkhunter ./installer.sh cd .. rm -r rkhunter rkhunter-1.2.8.tar.gz # Rootkit Hunter does however complain about the user root-admin. # As far as I can tell there is no need for this user on BQ so I remove it. userdel root-admin touch /etc/cron.daily/rkhunter chmod 755 /etc/cron.daily/rkhunter vi /etc/cron.daily/rkhunter # Place the following text in the file... #!/bin/sh SERVER=`hostname` OUTPUT=`/usr/local/bin/rkhunter --versioncheck` EXITCODE=$? if [ ${EXITCODE} != 0 ] then echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root fi OUTPUT=`/usr/local/bin/rkhunter --update` EXITCODE=$? if [ ${EXITCODE} != 0 ] then echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root fi OUTPUT=`/usr/local/bin/rkhunter --cronjob --report-warnings-only` EXITCODE=$? if [ ${EXITCODE} != 0 ] then echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root fi
I hope this is of help to people.