Best Web Hosts 2011 » Articles » Domain Name Articles » Whois Harvesting - Are You A Target?

Best-Selling Hosting

Top Rated Providers

Editors Pick

Whois Harvesting - Are You A Target? Published: Apr 25, 2004

  • Rating

    0/5

Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

Installing CHKROOTKIT

Version 0.42b (Sept. 20 2003)

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

#Change to root
su -

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

Important Note: If you see 'Checking `bindshell'... INFECTED (PORTS:  465)' read on.
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

Important:
1. Replace 'yourinstallpath' with the actual path to where you unpacked Chkrootkit.
2. Change 'Servername' to the server your running so you know where it's coming from.
3. Change 'admin@youremail.com' to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

./chkrootkit.sh

You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.

  • Rating

    0/5

Related Articles

Comments (3)

  • Gravatar - DCASEY
    DCASEY 20:26, May 18, 2005
    http://aplus.net/ is the only one I've ever gotten a phone call (3, actually, though I asked every time to be taken off their list) from.<br />
    <br />
    I suggest using their own services to let them know that they are part of the problem - right in there with lowlife spammers of porn, meds and large dicks - and that you wouldn't consider using their services if they were the last provider on earth.<br />
    <br />
    I am a web developer with many clients and the one thing I will do is to tell all of them NOT to use http://aplus.net/ for anything.
  • Gravatar - mdx
    mdx 05:06, January 30, 2006
    I've had several as well, and since I won't answer the call, it's a pre-recorded British woman pitching theie services. I ran the phone number the calls originated from, and it goes to a "Veleka Predictive Dialer" - something telemarketers use. Since I believe telemarketing one's cellphone with pre-recorded messages is against the FTC Do Not Call regulations and carry a hefty fine, I'm going to look into having them fined. It won't do anything in the larger scheme of things, but.... On teh other hand, in a class action, if someone subpoenaed their outbound calls and determined which went to cell phones and multiplied that number by a $1,000 fine, things might get interesting....
  • Gravatar - Leo
    Leo 04:14, June 1, 2008
    I hate when this crap happens to my business. Guess what I do! I do the same thing to them. Use something like: <a href="http://www.tools.mywikiinfo.com/includes/whoislookup.php">http://www.tools.mywikiinfo.com/includes/whoislookup.php</a><br />
    <br />
    And do them the same favor 3-4 times.<br />
    <br />
    Regards,<br />

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2012 WebHostGear.com