MQ-James
12-15-2004, 16:40
hkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made:
o aliens asp bindshell lkm rexedcs sniffer wted w55808 scalper slapper z2 amd basename biff chfn chsh cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf init identd killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
* ifpromisc.c: checks if the interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
Log in to your server as root and perform the following commands
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -zxf chrookit.tar.gz
cd chrootkit-*
./chkrootkit
this will perform a scan. If you want to do this at a set interval, you can use a cron job. To make it email you daily do this:
pico /etc/cron.daily/chkrootkit
then in that file put:
#!/bin/bash
/path/to/chkrootkit/chkrootkit -q | mail -s "Daily chkrootkit Output" your@yourdomain
* chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made:
o aliens asp bindshell lkm rexedcs sniffer wted w55808 scalper slapper z2 amd basename biff chfn chsh cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf init identd killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
* ifpromisc.c: checks if the interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
Log in to your server as root and perform the following commands
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -zxf chrookit.tar.gz
cd chrootkit-*
./chkrootkit
this will perform a scan. If you want to do this at a set interval, you can use a cron job. To make it email you daily do this:
pico /etc/cron.daily/chkrootkit
then in that file put:
#!/bin/bash
/path/to/chkrootkit/chkrootkit -q | mail -s "Daily chkrootkit Output" your@yourdomain