« Home | Convert man pages to text » | Poor Mans Raid & Clone Script Tutorial » | Out-going admin cron jobs » | Who hits my website » | Scripts for all occasions » | Bash shell option » | Get the hidden files » | Chrooted SSH HowTo » | How to create IP-IP tunnel between FreeBSD and Lin... » | How can I have two default routes? » 

Friday, March 24, 2006 

How do I scan my Linux system for rootkits, worms, trojans, etc.?

Either with ckrootkit or with rkhunter.

chkrootkit:

Either install the package that comes with your distribution (on Debian you would run

apt-get install chkrootkit

), or download the sources from www.chkrootkit.org and install manually:

wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

tar xvfz chkrootkit.tar.gz

cd chkrootkit-/

make sense

Afterwards, you can move the chkrootkit directory somewhere else, e.g. /usr/local/chkrootkit:

cd ..

mv chkrootkit-/ /usr/local/chkrootkit

Now you can run chkrootkit manually:

cd /usr/local/chkrootkit

./chkrootkit

(if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else).

You can even run chkrootkit by a cron job and get the results emailed to you:

Run

crontab -e

to create a cron job like this:

0 3 * * * (cd /usr/local/chkrootkit-; ./chkrootkit 2>&1 | mail -s "chkrootkit output my server" you@yourdomain.com)

That would run chkrootkit every night a 3.00h.

rkhunter:

Download the latest rkhunter sources from www.rootkit.nl:

wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

tar xvfz rkhunter-1.2.7.tar.gz

cd rkhunter/

./installer.sh

This will install rkhunter to the directory /usr/local/rkhunter. Now run

rkhunter --update

to download the latest chkrootkit/trojan/worm signatures (you should do this regularly).

Now you can scan your system for malware by running

rkhunter -c

You can't rely on chkrootkit and rkhunter. They're only shell scripts, that can be easily patched by an intruder. In fact, I've seen a patch that simply modified the output of chkrootkit from "INFECTED!" to "NOT INFECTED".

Anyway, it can't be wrong to use them, but you really shouldn't rely on their output. I'd personally prefer chkrootkit, since I once had a rootkit installed (sucKIT) which was found by chkrootkit but not rkhunter. rkhunter claims to "support" sucKIT, but it doesn't, so who can know how many other rootkits are "supported" but not found? :)

Post a Comment

Links to this post

Create a Link

About me

  • I'm Adrian
  • From Manila, Philippines
  • Humankind cannot gain anything without first giving something in return. To obtain, something of equal value must be lost. That is alchemy's first law of Equivalent Exchange.
My profile

Links

    Add to Google Add Mox Diamond to Newsburst from CNET News.com Subscribe in NewsGator Online Subscribe in FeedLounge Add to netvibes
Powered by Blogger
and Blogger Templates