Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003
  • Rating

    5/5

Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

Installing CHKROOTKIT

Version 0.42b (Sept. 20 2003)

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

#Change to root
su -

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

Important Note: If you see 'Checking `bindshell'... INFECTED (PORTS:  465)' read on.
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername"
admin@youremail.com

Important:
1. Replace 'yourinstallpath' with the actual path to where you unpacked Chkrootkit.
2. Change 'Servername' to the server your running so you know where it's coming from.
3. Change 'admin@youremail.com' to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

./chkrootkit.sh

You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.

  • Rating

    5/5

Related Articles

Comments (27)

  • Gravatar - Damian
    Damian 01:55, November 15, 2003
    I have follow your "how to" to install the chkrootkit however I cannot get the cron email work..

    No such file or directory...

    I follow exactly the steps you mentions and what is the right path for this?

    cd /yourinstallpath/chkrootkit-0.42b/
  • Gravatar - Edward
    Edward 22:16, November 25, 2003
    Love it :)
  • Gravatar - Coffeymate
    Coffeymate 16:08, December 8, 2003
    Thanks for such concise instructions here at webhostgear.

    Do you have a link for what to do if you find an infected port?

    I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port.

    What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this?

    Again, thanks for such an informative site!
  • Gravatar - alphonse
    alphonse 17:44, December 18, 2003
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening.
    As I have no rootkit installed, I don't know the outputs to look for...
  • Gravatar - tom
    tom 18:33, December 26, 2003
    Great work
  • Gravatar - mike
    mike 01:50, January 18, 2004
    latest version does not work using the above tutorial on cpanel RHE3 servers, runs ok manually but not from cron
  • Gravatar - Jeff Huckaby
    Jeff Huckaby 06:11, April 2, 2004
    Some notes:


    MD5SUMs
    You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit.


    A bit of a rant ....

    Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.
  • Gravatar - Mikey
    Mikey 08:20, June 9, 2004
    If anyone is interested this also works on a BSD box. I did have to go in and install bash but other than that...woks like a charm.

  • Gravatar - Daniel
    Daniel 18:58, July 1, 2004
    This is a great guide but I noticed a small error in your typing, might want to add an 'r' in the untar part of this guide. you are missing it for the file name.
  • Gravatar - Sun Joo
    Sun Joo 02:20, September 4, 2004
    This is a great one. Thanks a lot.
  • Gravatar - subrat
    subrat 14:20, December 6, 2004
    This is the redifining technique for scanning vulnerabilities of servers.
  • Gravatar - burke
    burke 21:30, May 25, 2005
    This simple script runs chkrootkit but mails only if INFECTED:<br />
    <br />
    #!/bin/bash<br />
    #<br />
    # Cron Script - run from /etc/crontab or place in cron.daily<br />
    #<br />
    # Runs chkrootkit and reports if infected files are found<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED\|Vulnerable" | \<br />
    fgrep -v "Checking \`bindshell'... INFECTED (PORTS: 365)"<br />
  • Gravatar - Norvin
    Norvin 14:44, August 21, 2005
    Hi, <br />
    <br />
    Good pice of kit however i am getting <br />
    Checking `bindshell'... INFECTED (PORTS: 31337)<br />
    <br />
    Would that be an error?<br />
    It is installed on a Raq4<br />
    Cheers
  • Gravatar - Pete
    Pete 14:03, October 14, 2005
    Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out.<br />
    <br />
    Thnks for you time<br />
    <br />
    Cheers
  • Gravatar - elian
    elian 13:46, October 24, 2005
    I have the same problem: <br />
    ----------------------------------------<br />
    <br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    <br />
    <br />
    ------------------------------------<br />
    what can i do?
  • Gravatar - dan
    dan 13:35, November 3, 2005
    <br />
    regarding the concern with the "INFECTED (PORTS: 31337)"<br />
    I believe this is a result of using PortSentry...<br />
    <br />
    there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry
  • Gravatar - Livio
    Livio 18:37, November 28, 2005
    Burke when I run your Script I get the following error:<br />
    ./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``'<br />
    ./chkrootkitliv.sh: line 10: syntax error: unexpected end of file<br />
    ---------------------------------------<br />
    What is wrong on the Line ?<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | <br />
    fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)"<br />
    ----------------------------------------<br />
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.
  • Gravatar - Livio
    Livio 00:22, December 2, 2005
    Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass.<br />
    <br />
    My 0.2 cents.<br />
    Livio.<br />
    <br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail<br />
    <br />
  • Gravatar - livio
    livio 03:36, December 2, 2005
    ooops. Here is the Script Fix (was missing :0 fBw at the beginning)<br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    :0 fBw <br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail
  • Gravatar - Rahul
    Rahul 22:56, August 15, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rahul
    Rahul 00:20, August 16, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rob Barclay
    Rob Barclay 11:55, August 16, 2006
    Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working) <br />
    <br />
    But excellently written guide thank you
  • Gravatar - irlamp
    irlamp 09:49, December 23, 2006
    Hello<br />
    <br />
    I have did and this is the result! what shoudl I do?<br />
    <br />
    [/etc/cron.daily]# ./chkrootkit.sh<br />
    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory<br />
    ./chkrootkit.sh: line 3: ./chkrootkit<br />
    <br />
    Thanks
  • Gravatar - Paul Johnson
    Paul Johnson 04:06, October 31, 2007
    irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    last bit is all on one line.<br />
    <br />
    Livio:<br />
    <br />
    I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted.<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    Last line is all one piece. <br />
  • Gravatar - Sushant
    Sushant 00:42, December 19, 2008
    I am getting same error..<br />
    <br />
    root@sushant [~]# cat chkrootkit.log<br />
    INFECTED (PORTS: 465)<br />
    <br />
    I have gone through this link..and it says same thing 'false positive' <br />
    <br />
    http://forums.theplanet.com/lofiversion/index.php/t29181.html<br />
    <br />
    What does it mean exactly by false positive ?<br />
  • Gravatar - Iamthatyouwant
    Iamthatyouwant 12:40, November 9, 2009
    Very usefull ;D thanks for all
  • Gravatar - Angelo
    Angelo 18:06, June 10, 2010
    I received the report email daily. But there is no message on the email.

    After I manually ran the test report (./chkrootkit.sh),

    I received a message on the CLI:

    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
    ./chkrootkit.sh: line 3: ./chkrootkit: No such file or directory
    Null message body; hope that's ok

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2014 WebHostGear.com