How to install chkrootkit and automated rootkit scanning on CentOS 7
What is Chkrootkit?
Chkrootkit is a popular security scanner that helps administrators look for signs when a system is infected with rootkits. You can use chkrootkit to find files and rules associated with rootkits, but you cannot be 100% sure that all rootkits will be found and removed.
Install Chkrootkit
To install Chkrootkit you can install it directly from the Repo repository, but in this article I will install from Source to ensure that the installed version is the latest.
Step 1: SSH into your server
The first thing we need to do is SSH or access your VPS or server with root privileges first
Step 2: Download and install Chkrootkit
- Install C/C++ compilers and libraries
yum update yum install wget gcc-c++ glibc-static
- Download package md5
wget -c https://src.fedoraproject.org/repo/pkgs/chkrootkit/chkrootkit-0.55.tar.gz/sha512/742dca90a761ecff149d8704cb3a252adfe8f9d5e15dd060e9db4d5f6dcd3820933ae13cbee99ea5a8c6144932cf97c0616a177af3ba5a1726b51bb304e7d63e/chkrootkit-0.55.tar.gz
- Unzip and install
tar -zxvf chkrootkit-0.55.tar.gz mkdir /usr/local/chkrootkit mv chkrootkit-0.55/* /usr/local/chkrootkit cd /usr/local/chkrootkit make sense
- Now you can run chkrootkit to scan the server with the command below:/>
/usr/local/chkrootkit/chkrootkit
Step 3: Install automatic rootkit scanning on the system and report scanned information
You can add a cron entry to run chkrootkit automatically and send scan reports to your mail address. Create and add the following to /etc/cron.daily/chkrootkit-scan.sh .
nano /etc/cron.daily/chkrootkit-scan.sh chmod 700 /etc/cron.daily/chkrootkit-scan.sh
And add the content below to the file you just created
#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s 'CHROOTKIT Daily Run ServerName' [email protected]
Step 4: Understanding chkrootkit
Chkrootkit is a tool to perform rootkit checks. This most importantly contains a shell script called chkrootkit which scans all system binaries for any rootkit modifications. Additionally, it contains several C programs which performs various security checks as below:
ifpromisc.c: This checks if the network interface is in promiscuous mode.
chklastlog.c: This checks for lastlog deletions.
chkwtmp.c: This checks for wtmp deletions.
chkproc.c: This checks for signs of LKM trojans.
chkdirs.c: This checks for signs of LKM trojans.
strings.c: This performs quick and dirty strings replacement.
chkutmp.c: This checks for utmp deletions.
Step 5: Usage
The simplest way to run this tool is by using the command “chkrootkit” as root. This will perform all tasks. But if you want to choose any particular options while running this command, you have various options as listed below:
-h: Print a short help message and exit.
# chkrootkit -h
Usage: /usr/sbin/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-e exclude known false positive files/dirs, quoted,
space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
-V: Print version information and exit.
# chkrootkit -V
chkrootkit version 0.52
-l: Print available tests.
# chkrootkit -l
/usr/sbin/chkrootkit: tests: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
-d: Enter debug mode.
-x: Enter expert mode.
-e: Exclude known false positive files/dirs, quoted, space separated.
-q: Enter quiet mode. In this mode only output messages with `infected' status are shown.
# chkrootkit -q
Checking `tcpd'... INFECTED
/lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-23-generic/vdso/.build-id
/lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-23-generic/vdso/.build-id
not tested
INFECTED PORTS: ( 465)
eth0: PACKET SNIFFER(/lib/systemd/systemd-networkd[536])
not tested
-r dir: Use dir as the root directory.
# chkrootkit -r /mnt/ ; This will check all files under this specified directory.
-p dir1:dir2:dirN: You can possibly add more binary paths separating with a colon using this option
-n: skip NFS mounted dirs
Sumarry
We now connect our systems to many networks through the internet, making it crucial to keep an eye out for any suspicious intrusions or attacks on our servers. Chkrootkit is a straightforward program that does routine security audits and protects our systems from outside assaults.
Thanks for reading, and feel free to offer any comments or recommendations below.