By jeremy at 2004-07-03 13:42
Finding Rootkits, Infections, and Files
by Jeremy Garcia
Last month's "Tech Support" showed you how to monitor filesystem changes with Tripwire, a handy system utility that alerts you to all filesystem changes. Like SNORT and others, Tripwire's just one of many practical security measures that minds your system 24/7.
Another sentry tool is chkrootkit, a free utility that can detect rootkits, loadable kernel modules, worms, and other nefarious cracker tools. (A rootkit is a collection of tools used to mask intrusion, obtain administrator-level access and, install a backdoor on a target computer. A loadable kernel module, or LKM, is a piece of code that's loaded directly into the Linux kernel.) chkrootkit uses digital signatures to detect over fifty known rootkits and LKMs. It also uses some simple heuristics -- looking for hidden processes, hidden directories, and a few other simple checks -- to attempt to detect unknown kits.
chkrootkit is maintained by Nelson Murilo and is available from http://www.chkrootkit.org. After downloading the latest version of chkrootkit, verify the MD5 checksum, and unpack the tarball. Then type make sense in the build directory. After the build's complete, run the program by typing ./chkrootkit. You'll have to be root to run the chkrootkit tools.
By default, chkrootkit is quite verbose. You can use the -q flag to only output messages that indicate an "infection." Another useful flag is -p, which allows you to specify a path to the supplemental, external programs that chkrootkit uses. Running the external commands from a read-only media ensures that chkrootkit itself hasn't been tampered with.
Once you have everything working to your liking, run chkrootkit via cron using a command similar to...
Like any security program, the output of chkrootkit needs to be examined and interpreted to be useful. For example, chkrootkit may give output such as INFECTED (PORTS: 1999). While this may be a result of the Transcout backdoor, it may just be that a program that uses random ports greater than port 1023 is using the port.
0 3 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)
Always a Good find
A few months back, "Tech Support" presented slocate as a replacement for the brute-force find /