Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003
  • Rating

    5/5

We are pleased to release our interview with Sethuran from the highly acclaimed Banners Mall banner design company. Check out what they had to say to WHG.

Banners Mall

Interview with Sethuran from Banners Mall

Business Location:
Toronto, Ontario, Canada

www.bannersmall.com

What is the name of your company?
The name of our company is Banners Mall, to reflect its mission of providing
an array of banner design options, just as a mall's mission is providing an
array of product options for shoppers.

What is your name and title?
My name is Sethuran Velnayagm and I am the owner of Banners Mall.

When did your company officially launch?
Our company officially launched on June 15th, 2003.

Tell us about your company and services
Our company designs professional, high-quality static and animated banners (in a variety of different sizes) to service all our customers' needs.
Additionally, we develop custom website templates for clients and deliver templates to quite a few template sites. Thus far we have worked for hundreds of companies and have, in doing so, developed a prestigious reputation that has put us apart from the rest.

What is your day to day role like at your company?
Primarily I design banners (a passion of mine that led me to found Banners Mall in the first place) and manage the staff, dividing tasks between the designers who work for us. I also handle customer care for the most part.

How do you differentiate your company and products in a highly competitive industry? Why would I choose you?
I differentiate our company and products, in a highly competitive industry, by working hard to ensure a swift turnaround time and full customer satisfaction, and by keeping prices as low as possible.

Banners Mall takes advantage of only the most cutting-edge technology to bring customers breathtaking banners with exceptional advertising potential, and that's more than can be said about most banner design companies.

Last but not least, our company works on a personal basis with each individual client to bring about the best possible result; I believe our reputation shows this.

What areas in your business would you like to improve?
I would like to improve our turnaround time by employing more designers (even though we normally deliver banners within 48 hours, sometimes we have a hard time when we receive huge amounts of orders). Also, currently 95% of our clients are from the hosting industry. We would like to spread our company into other industries.

Who do you see as your major competitors?
We don't consider anyone competition at the moment because, in my point of view, we are currently considered the top choice in banner design.

What do you feel is the best thing about your company?
I feel the best thing about our company is how successful it has been in such a short time.

Where do you see yourself in 5 years?
In five years I see Banners Mall as THE one-stop solution for any and all designing needs.

Do you have any final comments?
I would just like to say that I am honoured to have participated in this interview and thank those, who took the time to read it, for their continuing interest in Banners Mall.


Contact Information:

Senthuran Velnayagam
Director of Creative
www.bannersmall.com
info@bannersmall.com

  • Rating

    5/5

Related Articles

Comments (27)

  • Gravatar - Damian
    Damian 01:55, November 15, 2003
    I have follow your "how to" to install the chkrootkit however I cannot get the cron email work..

    No such file or directory...

    I follow exactly the steps you mentions and what is the right path for this?

    cd /yourinstallpath/chkrootkit-0.42b/
  • Gravatar - Edward
    Edward 22:16, November 25, 2003
    Love it :)
  • Gravatar - Coffeymate
    Coffeymate 16:08, December 8, 2003
    Thanks for such concise instructions here at webhostgear.

    Do you have a link for what to do if you find an infected port?

    I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port.

    What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this?

    Again, thanks for such an informative site!
  • Gravatar - alphonse
    alphonse 17:44, December 18, 2003
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening.
    As I have no rootkit installed, I don't know the outputs to look for...
  • Gravatar - tom
    tom 18:33, December 26, 2003
    Great work
  • Gravatar - mike
    mike 01:50, January 18, 2004
    latest version does not work using the above tutorial on cpanel RHE3 servers, runs ok manually but not from cron
  • Gravatar - Jeff Huckaby
    Jeff Huckaby 06:11, April 2, 2004
    Some notes:


    MD5SUMs
    You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit.


    A bit of a rant ....

    Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.
  • Gravatar - Mikey
    Mikey 08:20, June 9, 2004
    If anyone is interested this also works on a BSD box. I did have to go in and install bash but other than that...woks like a charm.

  • Gravatar - Daniel
    Daniel 18:58, July 1, 2004
    This is a great guide but I noticed a small error in your typing, might want to add an 'r' in the untar part of this guide. you are missing it for the file name.
  • Gravatar - Sun Joo
    Sun Joo 02:20, September 4, 2004
    This is a great one. Thanks a lot.
  • Gravatar - subrat
    subrat 14:20, December 6, 2004
    This is the redifining technique for scanning vulnerabilities of servers.
  • Gravatar - burke
    burke 21:30, May 25, 2005
    This simple script runs chkrootkit but mails only if INFECTED:<br />
    <br />
    #!/bin/bash<br />
    #<br />
    # Cron Script - run from /etc/crontab or place in cron.daily<br />
    #<br />
    # Runs chkrootkit and reports if infected files are found<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED\|Vulnerable" | \<br />
    fgrep -v "Checking \`bindshell'... INFECTED (PORTS: 365)"<br />
  • Gravatar - Norvin
    Norvin 14:44, August 21, 2005
    Hi, <br />
    <br />
    Good pice of kit however i am getting <br />
    Checking `bindshell'... INFECTED (PORTS: 31337)<br />
    <br />
    Would that be an error?<br />
    It is installed on a Raq4<br />
    Cheers
  • Gravatar - Pete
    Pete 14:03, October 14, 2005
    Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out.<br />
    <br />
    Thnks for you time<br />
    <br />
    Cheers
  • Gravatar - elian
    elian 13:46, October 24, 2005
    I have the same problem: <br />
    ----------------------------------------<br />
    <br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    <br />
    <br />
    ------------------------------------<br />
    what can i do?
  • Gravatar - dan
    dan 13:35, November 3, 2005
    <br />
    regarding the concern with the "INFECTED (PORTS: 31337)"<br />
    I believe this is a result of using PortSentry...<br />
    <br />
    there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry
  • Gravatar - Livio
    Livio 18:37, November 28, 2005
    Burke when I run your Script I get the following error:<br />
    ./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``'<br />
    ./chkrootkitliv.sh: line 10: syntax error: unexpected end of file<br />
    ---------------------------------------<br />
    What is wrong on the Line ?<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | <br />
    fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)"<br />
    ----------------------------------------<br />
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.
  • Gravatar - Livio
    Livio 00:22, December 2, 2005
    Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass.<br />
    <br />
    My 0.2 cents.<br />
    Livio.<br />
    <br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail<br />
    <br />
  • Gravatar - livio
    livio 03:36, December 2, 2005
    ooops. Here is the Script Fix (was missing :0 fBw at the beginning)<br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    :0 fBw <br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail
  • Gravatar - Rahul
    Rahul 22:56, August 15, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rahul
    Rahul 00:20, August 16, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rob Barclay
    Rob Barclay 11:55, August 16, 2006
    Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working) <br />
    <br />
    But excellently written guide thank you
  • Gravatar - irlamp
    irlamp 09:49, December 23, 2006
    Hello<br />
    <br />
    I have did and this is the result! what shoudl I do?<br />
    <br />
    [/etc/cron.daily]# ./chkrootkit.sh<br />
    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory<br />
    ./chkrootkit.sh: line 3: ./chkrootkit<br />
    <br />
    Thanks
  • Gravatar - Paul Johnson
    Paul Johnson 04:06, October 31, 2007
    irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    last bit is all on one line.<br />
    <br />
    Livio:<br />
    <br />
    I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted.<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    Last line is all one piece. <br />
  • Gravatar - Sushant
    Sushant 00:42, December 19, 2008
    I am getting same error..<br />
    <br />
    root@sushant [~]# cat chkrootkit.log<br />
    INFECTED (PORTS: 465)<br />
    <br />
    I have gone through this link..and it says same thing 'false positive' <br />
    <br />
    http://forums.theplanet.com/lofiversion/index.php/t29181.html<br />
    <br />
    What does it mean exactly by false positive ?<br />
  • Gravatar - Iamthatyouwant
    Iamthatyouwant 12:40, November 9, 2009
    Very usefull ;D thanks for all
  • Gravatar - Angelo
    Angelo 18:06, June 10, 2010
    I received the report email daily. But there is no message on the email.

    After I manually ran the test report (./chkrootkit.sh),

    I received a message on the CLI:

    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
    ./chkrootkit.sh: line 3: ./chkrootkit: No such file or directory
    Null message body; hope that's ok

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2019 WebHostGear.com