Chkrootkit (check rootkit) is a tool for searching for rootkits (malicious applications) in an operating system:
- It is a free and open-source utility available in many distributions.
- It can detect almost all current rootkits.
Installation:
apt-get install chkrootkit
root@kvmde58-21295:~# apt-get install chkrootkit
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
chkrootkit
0 upgraded, 1 newly installed, 0 to remove and 73 not upgraded.
Need to get 318 kB of archives.
After this operation, 1013 kB of additional disk space will be used.
Get:1 http://mirror.fornex.org/ubuntu bionic-updates/universe amd64 chkrootkit amd64 0.52-1ubuntu0.1 [318 kB]
Fetched 318 kB in 0s (8012 kB/s)
Preconfiguring packages ...
Selecting previously unselected package chkrootkit.
(Reading database ... 126487 files and directories currently installed.)
Preparing to unpack .../chkrootkit_0.52-1ubuntu0.1_amd64.deb ...
Unpacking chkrootkit (0.52-1ubuntu0.1) ...
Setting up chkrootkit (0.52-1ubuntu0.1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Next, you can download the newest version of the archive with the source codes and unpack to a temporary directory.
wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvfz chkrootkit.tar.gz
cd chkrootkit-*/
make sense
root@kvmde58-21295:~# wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
--2021-02-15 14:16:41-- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
=> 'chkrootkit.tar.gz'
Resolving ftp.pangeia.com.br (ftp.pangeia.com.br)... 187.33.4.179
Connecting to ftp.pangeia.com.br (ftp.pangeia.com.br)|187.33.4.179|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/seg/pac ... done.
==> SIZE chkrootkit.tar.gz ... 41461
==> PASV ... done. ==> RETR chkrootkit.tar.gz ... done.
Length: 41461 (40K) (unauthoritative)
chkrootkit.tar.gz 100%[=====================================>] 40.49K 65.7KB/s in 0.6s
2021-02-15 14:16:44 (65.7 KB/s) - 'chkrootkit.tar.gz' saved [41461]
root@kvmde58-21295:~# tar xvfz chkrootkit.tar.gz
chkrootkit-0.54/ACKNOWLEDGMENTS
chkrootkit-0.54/check_wtmpx.c
chkrootkit-0.54/chk54.tgz
chkrootkit-0.54/chkdirs.c
chkrootkit-0.54/chklastlog.c
chkrootkit-0.54/chkproc.c
chkrootkit-0.54/chkrootkit
chkrootkit-0.54/chkrootkit.lsm
chkrootkit-0.54/chkutmp.c
chkrootkit-0.54/chkwtmp.c
chkrootkit-0.54/COPYRIGHT
chkrootkit-0.54/ifpromisc.c
chkrootkit-0.54/Makefile
chkrootkit-0.54/README
chkrootkit-0.54/README.chklastlog
chkrootkit-0.54/README.chkwtmp
chkrootkit-0.54/strings.c
root@kvmde58-21295:~# cd chkrootkit-*/
root@kvmde58-21295:~/chkrootkit-0.54# make sense
You can then move the chkrootkit directory to another location, such as /usr/local/chkrootkit:
cd .
mv chkrootkit-/<version>/usr/local/chkrootkit
Then create a symlink for easy access:
ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit
Options for the chkrotkit utility:
- -h - view help.
- -V -view version.
- -l -view the list of tests/checks that the program supports.
- [ test type ] - execute specified test type (chkrootkit aliens sniffer).
- -d - enable debug mode.
- -q - "silent mode" - minimal output of information. Only messages about infected files are output.
- -x - advanced mode - output of each action performed on each file being examined.
- -r - definition of the directory which will be used as the root directory.
- -n - skip checks on NFS partitions.
- -p dir1:dir2:dirN - paths for external programs used by chkrootkit.
To check your server with chkrootkit, run the command:
chkrootkit
chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `u'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not found
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found
/lib/modules/4.15.0-128-generic/vdso/.build-id /lib/modules/4.15.0-106-generic/vdso/.build-id
/lib/modules/4.15.0-128-generic/vdso/.build-id /lib/modules/4.15.0-106-generic/vdso/.build-id
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... not tested
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for Mumblehard Linux ... nothing found
Searching for Backdoor.Linux.Mokes.a ... nothing found
Searching for Malicious TinyDNS ... nothing found
Searching for Linux.Xor.DDoS ... nothing found
Searching for Linux.Proxy.1.0 ... nothing found
Searching for suspect PHP files ... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED PORTS: ( 465)
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: no promisc and no packet sniffer sockets
eth0: no promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `clapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not tested
While chkrootkit is running it sends the following notifications
- INFECTED - this program may refer to known hostile code samples (rootkit)
- not infected - no known rootkit signatures
- not tested:
-
- the test failed for one of the following reasons
-
- test is not applicable to the current operating system
-
- no external program can be used
-
- shell options set to disable the test
-
- not found - the program was not found, so it was not tested
- Vulnerable but disabled - the program is infected, but is not used (not launched) at the moment of check
From the report we get, we can see something like this
Checking `bindshell'... INFECTED (PORTS: 465)
Don't worry, when you get this message on your mail server, it is an SMTPS (Secure SMTP) port on your mail system and a well known false positive.
Chkrootkit runs a full system scan on all available tests by default. If the scanner detects something suspicious, it will only display information about the problem and will not remove or fix it. The user has to deal with each alert by himself, carefully studying the problem and making sure that it is not an error or false alarm but a real threat.
You can run chkrootkit on a cron job and get the results by e-mail
First, find out the path where chkrootkit is installed on your server:
which chkrootkit
root@kvmde58-21295:~# which chkrootkit
/usr/sbin/chkrootkit
Chkrootkit is installed at /usr/sbin/chkrootkit, we need this path in the cron line below:
crontab -e
For example:
0 3 * * * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit Report" your_mail@box
The check will run daily, at 3am
Replace the chkrootkit path with the one you received the command from above, and specify your mail address where the mail will be sent to.
If you have configuration difficulties or have further questions, you can always contact our support team via ticket system.