How do I scan my Linux system for rootkits, worms, trojans, etc.?
Either with ckrootkit or with rkhunter.
chkrootkit:
Either install the package that comes with your distribution (on Debian you would run
apt-get install chkrootkit
), or download the sources from www.chkrootkit.org and install manually:
wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvfz chkrootkit.tar.gz
cd chkrootkit-
make sense
Afterwards, you can move the chkrootkit directory somewhere else, e.g. /usr/local/chkrootkit:
cd ..
mv chkrootkit-
Now you can run chkrootkit manually:
cd /usr/local/chkrootkit
./chkrootkit
(if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else).
You can even run chkrootkit by a cron job and get the results emailed to you:
Run
crontab -e
to create a cron job like this:
0 3 * * * (cd /usr/local/chkrootkit-
That would run chkrootkit every night a 3.00h.
rkhunter:
Download the latest rkhunter sources from www.rootkit.nl:
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar xvfz rkhunter-1.2.7.tar.gz
cd rkhunter/
./installer.sh
This will install rkhunter to the directory /usr/local/rkhunter. Now run
rkhunter --update
to download the latest chkrootkit/trojan/worm signatures (you should do this regularly).
Now you can scan your system for malware by running
rkhunter -c
You can't rely on chkrootkit and rkhunter. They're only shell scripts, that can be easily patched by an intruder. In fact, I've seen a patch that simply modified the output of chkrootkit from "INFECTED!" to "NOT INFECTED".
Anyway, it can't be wrong to use them, but you really shouldn't rely on their output. I'd personally prefer chkrootkit, since I once had a rootkit installed (sucKIT) which was found by chkrootkit but not rkhunter. rkhunter claims to "support" sucKIT, but it doesn't, so who can know how many other rootkits are "supported" but not found? :)
Posted by
shell-monkey |
8:37 PM