interfasys
Verified User
<DISCLAIMER>
Use at own risk. I am not a sysadmin. I take no responsabilities if anything wrong happens
</DISCLAIMER>
This sums up some info I have been gathering about chkrootkit.
This is a beta. I'll improve it based on comments made in this thread.
PART I : Set it up
------------------
As root, type the following :
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
# md5sum -c chkrootkit.md5
Unpack.
# tar -zxvf chkrootkit.tar.gz
Jump in dir.
# cd chkrootkit*
Compile the tools.
# make sense
PART II : Run the applications
------------------------------
Check that the ethernet interfaces are not in promiscuous mode.
must return : eth0 is not promisc,etc.
# ./ifpromisc
Make sure there are no hidden processes or LKM trojans on the system.
# ./chkproc
Test the system.
must return many 'not found', 'not infected', 'nothing deleted', etc.
# ./chkrootkit
PART III : Clean up
-------------------
Jump out
# cd ..
Remove the archive.
# rm -f chkrootkit.tar.gz
PART IV : Setup a daily checker
--------------------------------
Create the file to be run daily.
# pico -w /etc/cron.daily/chkrootkit.sh
Type the following in it :
#!/bin/bash
cd /path/to/chkrootkit*/
./ifpromisc | mail -s "ifpromisc output" [email protected]
./chkproc | mail -s "chkproc output" [email protected]
./chkrootkit -q | mail -s "chkrootkit output" [email protected]
Type ctrl+x to exit.
Make it runnable.
# chmod 755 /etc/cron.daily/chkrootkit.sh
PART V : Setup a monthly updater (optional)
-------------------------------------------
Create the file to be run monthly.
This can be dangerous if there is an error inside.
Use at own risk.
# pico -w /etc/cron.monthly/chkrootkit.sh
Type the following in it :
#!/bin/bash
cd /path/that/contains/rookitfolder/
rm -Rf chkrootkit-OLD
rm -Rf chkrootkit.md5-OLD
mv -f chkrootkit*/ chkrootkit-OLD
mv -f chkrootkit.md5 chkrootkit.md5-OLD
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5 | mail -s "chkrootkit MD5 check" [email protected]
tar -zxvf chkrootkit.tar.gz
rm -f chkrootkit.tar.gz
cd chkrootkit*
make sense
Type ctrl+x to exit.
Make it runnable.
# chmod 755 /etc/cron.monthly/chkrootkit.sh
PART VI : Test the crons
------------------------
# /etc/cron.daily/./chkrootkit.sh
# /etc/cron.monthly/./chkrootkit.sh
You should get emails
Use at own risk. I am not a sysadmin. I take no responsabilities if anything wrong happens
</DISCLAIMER>
This sums up some info I have been gathering about chkrootkit.
This is a beta. I'll improve it based on comments made in this thread.
PART I : Set it up
------------------
As root, type the following :
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
# md5sum -c chkrootkit.md5
Unpack.
# tar -zxvf chkrootkit.tar.gz
Jump in dir.
# cd chkrootkit*
Compile the tools.
# make sense
PART II : Run the applications
------------------------------
Check that the ethernet interfaces are not in promiscuous mode.
must return : eth0 is not promisc,etc.
# ./ifpromisc
Make sure there are no hidden processes or LKM trojans on the system.
# ./chkproc
Test the system.
must return many 'not found', 'not infected', 'nothing deleted', etc.
# ./chkrootkit
PART III : Clean up
-------------------
Jump out
# cd ..
Remove the archive.
# rm -f chkrootkit.tar.gz
PART IV : Setup a daily checker
--------------------------------
Create the file to be run daily.
# pico -w /etc/cron.daily/chkrootkit.sh
Type the following in it :
#!/bin/bash
cd /path/to/chkrootkit*/
./ifpromisc | mail -s "ifpromisc output" [email protected]
./chkproc | mail -s "chkproc output" [email protected]
./chkrootkit -q | mail -s "chkrootkit output" [email protected]
Type ctrl+x to exit.
Make it runnable.
# chmod 755 /etc/cron.daily/chkrootkit.sh
PART V : Setup a monthly updater (optional)
-------------------------------------------
Create the file to be run monthly.
This can be dangerous if there is an error inside.
Use at own risk.
# pico -w /etc/cron.monthly/chkrootkit.sh
Type the following in it :
#!/bin/bash
cd /path/that/contains/rookitfolder/
rm -Rf chkrootkit-OLD
rm -Rf chkrootkit.md5-OLD
mv -f chkrootkit*/ chkrootkit-OLD
mv -f chkrootkit.md5 chkrootkit.md5-OLD
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5 | mail -s "chkrootkit MD5 check" [email protected]
tar -zxvf chkrootkit.tar.gz
rm -f chkrootkit.tar.gz
cd chkrootkit*
make sense
Type ctrl+x to exit.
Make it runnable.
# chmod 755 /etc/cron.monthly/chkrootkit.sh
PART VI : Test the crons
------------------------
# /etc/cron.daily/./chkrootkit.sh
# /etc/cron.monthly/./chkrootkit.sh
You should get emails