Checking for Rootkits

In the same vein my last post, here is page on installing chkrootkit and Rootkit Hunter on CentOS / BlueQuartz.

A root kit is the name given to a piece of software written to try and elevate someone’s permissions to root level, commonly used by hackers/crackers/script kiddies to infect a system. There are many rootkit checkers however we are going to install two of the most common which are both are free and open source.  Some people prefer one over the other, I say, why not use both!

chkrootkit

The website is http://www.chkrootkit.org/ and the following is based on v0.47

# Pick a location
cd /usr/local
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
rm chkrootkit.tar.gz
# Fix the permissions
chown -R root:root chkrootkit-0.47
cd chkrootkit-0.47
make sense
# A quick tidy up
mkdir docs src
mv *.c Makefile src
mv READM* chkrootkit.lsm ACKNOWLEDGMENTS COPYRIGHT docs
./chkrootkit -q > good.output 2>&1
# CHECK THE good.output FILE IS OK AND HAS A KNOWN GOOD OUTPUT
touch current.output
touch /etc/cron.daily/chkrootkit
chmod 755 /etc/cron.daily/chkrootkit
vi /etc/cron.daily/chkrootkit
# Place the following text in the file...

#!/bin/sh
SERVER=`hostname`
cd /usr/local/chkrootkit-0.47
rm current.output
./chkrootkit -q > current.output 2>&1
DIFF=`/usr/bin/diff current.output good.output`
ERRO=`/bin/cat current.output`
if [ "$DIFF" != "" ]
then
/usr/lib/sendmail -t << EOF
To: root
Subject: ${SERVER}: Chkrootkit Output
====> A diff between current and good output is:
$DIFF
====> The current output is:
$ERRO
EOF
fi

Rootkit Hunter

The website is http://www.rootkit.nl/projects/rootkit_hunter.html http://rkhunter.sourceforge.net/ and the following is based on v1.2.8

# Use a working directory where you can execute code
cd /home/.tmp
wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
tar zxvf rkhunter-1.2.8.tar.gz
cd rkhunter
./installer.sh
cd ..
rm -r rkhunter rkhunter-1.2.8.tar.gz
# Rootkit Hunter does however complain about the user root-admin.
# As far as I can tell there is no need for this user on BQ so I remove it.
userdel root-admin
touch /etc/cron.daily/rkhunter
chmod 755 /etc/cron.daily/rkhunter
vi /etc/cron.daily/rkhunter
# Place the following text in the file...

#!/bin/sh
SERVER=`hostname`
OUTPUT=`/usr/local/bin/rkhunter --versioncheck`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi
OUTPUT=`/usr/local/bin/rkhunter --update`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi
OUTPUT=`/usr/local/bin/rkhunter --cronjob --report-warnings-only`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi

I hope this is of help to people.

Leave a Reply

Your email address will not be published. Required fields are marked *