HOWTO (BETA) : chkrootkit install & cron

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,100
Location
Switzerland
<DISCLAIMER>
Use at own risk. I am not a sysadmin. I take no responsabilities if anything wrong happens
</DISCLAIMER>

This sums up some info I have been gathering about chkrootkit.

This is a beta. I'll improve it based on comments made in this thread.

PART I : Set it up
------------------
As root, type the following :
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
# md5sum -c chkrootkit.md5

Unpack.
# tar -zxvf chkrootkit.tar.gz

Jump in dir.
# cd chkrootkit*

Compile the tools.
# make sense

PART II : Run the applications
------------------------------
Check that the ethernet interfaces are not in promiscuous mode.
must return : eth0 is not promisc,etc.
# ./ifpromisc

Make sure there are no hidden processes or LKM trojans on the system.
# ./chkproc

Test the system.
must return many 'not found', 'not infected', 'nothing deleted', etc.
# ./chkrootkit

PART III : Clean up
-------------------
Jump out
# cd ..

Remove the archive.
# rm -f chkrootkit.tar.gz

PART IV : Setup a daily checker
--------------------------------
Create the file to be run daily.
# pico -w /etc/cron.daily/chkrootkit.sh

Type the following in it :
#!/bin/bash
cd /path/to/chkrootkit*/
./ifpromisc | mail -s "ifpromisc output" [email protected]
./chkproc | mail -s "chkproc output" [email protected]
./chkrootkit -q | mail -s "chkrootkit output" [email protected]

Type ctrl+x to exit.

Make it runnable.
# chmod 755 /etc/cron.daily/chkrootkit.sh

PART V : Setup a monthly updater (optional)
-------------------------------------------
Create the file to be run monthly.
This can be dangerous if there is an error inside.
Use at own risk.
# pico -w /etc/cron.monthly/chkrootkit.sh

Type the following in it :
#!/bin/bash
cd /path/that/contains/rookitfolder/
rm -Rf chkrootkit-OLD
rm -Rf chkrootkit.md5-OLD
mv -f chkrootkit*/ chkrootkit-OLD
mv -f chkrootkit.md5 chkrootkit.md5-OLD
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5 | mail -s "chkrootkit MD5 check" [email protected]
tar -zxvf chkrootkit.tar.gz
rm -f chkrootkit.tar.gz
cd chkrootkit*
make sense

Type ctrl+x to exit.

Make it runnable.
# chmod 755 /etc/cron.monthly/chkrootkit.sh

PART VI : Test the crons
------------------------
# /etc/cron.daily/./chkrootkit.sh
# /etc/cron.monthly/./chkrootkit.sh

You should get emails
 
I've been trying to do this for a while, but i usually get about 3 or 4 mails per day from the server. Isn't it possible to modify it so that it only sends a mail when something is wrong ?

I'll try this somewhere today, at the moment i'm not on a stable connection, so i'm not gonna do anything until my connection is stable and secured :)
 
It also might not be a bad idea to set things immutable and apend only.. It won't stop a hack.. But it certainly slow and sometimes stop the script kiddies that don't know about those options :D
 
seems all is clear per the ./chkrootkit command, no warnings, nothing found but the 1st command (./chkproc) revealed this.
You have 5 process hidden for readdir command
You have 5 process hidden for ps command
Did some googling but all I found was people posting the same type info and to what it's meaning was.
How do I find what readdir and ps processes are hidden? and if any danger exists.....
Andy
 
Last edited:
Back
Top