Guide to Chkrootkit - checking for intruders

Comments (27)

Damian 01:55, November 15, 2003

I have follow your "how to" to install the chkrootkit however I cannot get the cron email work..

No such file or directory...

I follow exactly the steps you mentions and what is the right path for this?

cd /yourinstallpath/chkrootkit-0.42b/
Edward 22:16, November 25, 2003

Love it :)
Coffeymate 16:08, December 8, 2003

Thanks for such concise instructions here at webhostgear.

Do you have a link for what to do if you find an infected port?

I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port.

What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this?

Again, thanks for such an informative site!
alphonse 17:44, December 18, 2003

What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening.
As I have no rootkit installed, I don't know the outputs to look for...
tom 18:33, December 26, 2003

Great work
mike 01:50, January 18, 2004

latest version does not work using the above tutorial on cpanel RHE3 servers, runs ok manually but not from cron
Jeff Huckaby 06:11, April 2, 2004

Some notes:

MD5SUMs
You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit.

A bit of a rant ....

Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.
Mikey 08:20, June 9, 2004

If anyone is interested this also works on a BSD box. I did have to go in and install bash but other than that...woks like a charm.
Daniel 18:58, July 1, 2004

This is a great guide but I noticed a small error in your typing, might want to add an 'r' in the untar part of this guide. you are missing it for the file name.
Sun Joo 02:20, September 4, 2004

This is a great one. Thanks a lot.
subrat 14:20, December 6, 2004

This is the redifining technique for scanning vulnerabilities of servers.
burke 21:30, May 25, 2005

This simple script runs chkrootkit but mails only if INFECTED: 
 
#!/bin/bash 
# 
# Cron Script - run from /etc/crontab or place in cron.daily 
# 
# Runs chkrootkit and reports if infected files are found 
 
cd /usr/local/src/chkrootkit 
./chkrootkit 2>&1 | grep "INFECTED\|Vulnerable" | \ 
fgrep -v "Checking \`bindshell'... INFECTED (PORTS: 365)"
Norvin 14:44, August 21, 2005

Hi, 
 
Good pice of kit however i am getting 
Checking `bindshell'... INFECTED (PORTS: 31337) 
 
Would that be an error? 
It is installed on a Raq4 
Cheers
Pete 14:03, October 14, 2005

Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out. 
 
Thnks for you time 
 
Cheers
elian 13:46, October 24, 2005

I have the same problem: 
---------------------------------------- 
 
Checking `bindshell'... INFECTED (PORTS: 465) 
 
 
------------------------------------ 
what can i do?
dan 13:35, November 3, 2005

 
regarding the concern with the "INFECTED (PORTS: 31337)" 
I believe this is a result of using PortSentry... 
 
there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry
Livio 18:37, November 28, 2005

Burke when I run your Script I get the following error: 
./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``' 
./chkrootkitliv.sh: line 10: syntax error: unexpected end of file 
--------------------------------------- 
What is wrong on the Line ? 
 
cd /usr/local/src/chkrootkit 
./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | 
fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)" 
---------------------------------------- 
What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.
Livio 00:22, December 2, 2005

Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass. 
 
My 0.2 cents. 
Livio. 
 
 
# To Delete false positive Infected Port 465 from my Exim SSL SMTP 
* ^From:.*[email protected] 
* ^Subject: chkrootkit output 
| sed -e '/INFECTED (PORTS: 465)/d' 
 
# To delete emails with not Important Information (Same every Day) 
:0 
* ^From:.*[email protected] 
* ^Subject: chkrootkit output 
{ 
# Note the :0BD: means Case Sensitive search the body of the e-mail 
:0BD: 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
:0 
* ^From:.*[email protected] 
* ^Subject: rkhunter Daily Run 
{ 
:0B 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
 
:0 
* ^To: .*myemail@@myserver.com 
/home/mydomain/mail/myemail
livio 03:36, December 2, 2005

ooops. Here is the Script Fix (was missing :0 fBw at the beginning) 
 
# To Delete false positive Infected Port 465 from my Exim SSL SMTP 
:0 fBw 
* ^From:.*[email protected] 
* ^Subject: chkrootkit output 
| sed -e '/INFECTED (PORTS: 465)/d' 
 
# To delete emails with not Important Information (Same every Day) 
:0 
* ^From:.*[email protected] 
* ^Subject: chkrootkit output 
{ 
# Note the :0BD: means Case Sensitive search the body of the e-mail 
:0BD: 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
:0 
* ^From:.*[email protected] 
* ^Subject: rkhunter Daily Run 
{ 
:0B 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
 
:0 
* ^To: .*myemail@@myserver.com 
/home/mydomain/mail/myemail
Rahul 22:56, August 15, 2006

Am also getting same error is that ok 
 
Checking `asp'... not infected 
Checking `bindshell'... INFECTED (PORTS: 465) 
Checking `lkm'... You have 1 process hidden for readdir command 
You have 1 process hidden for ps command 
Warning: Possible LKM Trojan installed
Rahul 00:20, August 16, 2006

Am also getting same error is that ok 
 
Checking `asp'... not infected 
Checking `bindshell'... INFECTED (PORTS: 465) 
Checking `lkm'... You have 1 process hidden for readdir command 
You have 1 process hidden for ps command 
Warning: Possible LKM Trojan installed
Rob Barclay 11:55, August 16, 2006

Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working) 
 
But excellently written guide thank you
irlamp 09:49, December 23, 2006

Hello 
 
I have did and this is the result! what shoudl I do? 
 
[/etc/cron.daily]# ./chkrootkit.sh 
./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory 
./chkrootkit.sh: line 3: ./chkrootkit 
 
Thanks
Paul Johnson 04:06, October 31, 2007

irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin 
 
#!/bin/bash 
cd /usr/bin 
./chkrootkit | mail -s "Daily chkrootkit from laptop" [email protected] 
 
last bit is all on one line. 
 
Livio: 
 
I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted. 
 
#!/bin/bash 
cd /usr/bin 
./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" [email protected] 
 
Last line is all one piece.
Sushant 00:42, December 19, 2008

I am getting same error.. 
 
root@sushant [~]# cat chkrootkit.log 
INFECTED (PORTS: 465) 
 
I have gone through this link..and it says same thing 'false positive' 
 
http://forums.theplanet.com/lofiversion/index.php/t29181.html 
 
What does it mean exactly by false positive ?
Iamthatyouwant 12:40, November 9, 2009

Very usefull ;D thanks for all
Angelo 18:06, June 10, 2010

I received the report email daily. But there is no message on the email.

After I manually ran the test report (./chkrootkit.sh),

I received a message on the CLI:

./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
./chkrootkit.sh: line 3: ./chkrootkit: No such file or directory
Null message body; hope that's ok

Best-Selling Hosting

Top Rated Providers

Editors Pick

Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003

Rating

5/5

Rating

Rating

Rate it!

Related Articles

Comments (27)

Add Your Thoughts

Best-Selling Hosting

Top Rated Providers

Editors Pick

Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003 Rating 5/5

Rating

Rating

Rate it!

Related Articles

Comments (27)

Add Your Thoughts

Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003

Rating

5/5