Scanning for rootkits with chkrootkit

Defence in depth is one of the basic tenets of server administration. Up to date and secure installations, firewalls, limiting ssh access and strong passwords are the front line.

But what about 'inside' the server? One method of monitoring the content of a server is to scan for rootkits on a regular basis.

Perhaps I should clarify what I mean by defence. Scanning for rootkits will not stop them, it is not an active defence method but more of a passive defence method.

By saying that, I mean if your server has been compromised then a scan will not stop the rootkit and there is, to be blunt, not a lot you can do about it. By all means have a go but the general consensus is that if your server has been compromised then start again from fresh.

Blimey! That seems dramatic. Well, yes it does and I don't have the space to go into everything here but if someone has got past your defences and placed a rootkit (as an example) on your server then you have little choice but to start again.

This article is about the scanning mechanism rather than how something may have entered your system. It is about checking the validity of the server content.

Scanning is easily done and can be automated so you spend less time with mundane and repetitive administration tasks.

We're going to install chkrootkit from source. It is available from most repositories but installing from source ensures we have not installed a compromised scanning system (it's been known to happen!).

I hope I'm not projecting paranoia here but rather instilling sensible procedures in your server administration journey.

Let's go. Log into your VPS and navigate to your sources directory:

cd ~/sources

Fetch the latest chkrootkit version:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

To check that the file you have is the same file that chkrootkit.org intended you to have, check the md5 signature. To do this enter:

md5sum chkrootkit.tar.gz

This will create an output that is unique to the downloaded file - check this with the md5 signature which is available from a mirror website (see the note below):

wget http://abcdelasecurite.free.fr/chkrootkit.org/download/chkrootkit.md5

Note: Ron made a good comment about not downloading the original md5 sum from the same server as the main file. This makes a great deal of sense as if the server had been compromised, it is unlikely they would have forgotten to adjust the md5 signature to suit their needs.

If the two do not match then you have a compromised download. You will notice as you download more and more source code that they all have md5 or other style of signatures for integrity checks.

Unpack the download and move into the new directory:

tar xvfz chkrootkit.tar.gz
cd chkrootkit-0.47

Note that in this example, I have downloaded and unpacked version 0.47. Ensure you have at least that version - the commands above automatically download the latest version for you.

Now you need to compile the programme which will take about a second:

make sense

You can keep the folder in your sources directory or move the whole thing elsewhere more convenient for you. In this example, I will keep it in the sources directory.

To run the chkrootkit, simply give the command as the sudo user:

sudo ./chkrootkit

The checks that are performed will be displayed and will scroll past quickly - you will receive a warning at the end if it is suspected that an exploit has been found. A warning would look similar to this:

Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
You have 9 process hidden for readdir command
You have 11 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

As already said and as recommended - if you are infected you need to reinstall with a fresh image.

Naturally, all this can be automated with a cron job. As the procedure needs to be run as root, enter the root crontab configuration:

sudo crontab -e

The recommended method (from the chkrootkit website), using the sources directory from this example, is as follows:

0 3 * * * (cd /home/paul/sources/chkrootkit-0.47; ./chkrootkit 2>&1 | mail -s "chkrootkit output" admin@yourdomain.com)

That will run the command at 3am every day and email the results to the specified address.

As you can see, actually installing and running the chkrootkit programme is pretty simple. I've added a bit of sysadmin 'philosophy' behind it so it may look like more effort than it actually is.

PickledOnion.

Digg it | del.icio.us | reddit | StumbleUpon