Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003
  • Rating

    5/5

Now that you have your own servers you need to name them like any good admin would. Giving each server a name will help you and your clients communicate more effectively.

Now that you have your own servers you need to name them like any good admin would. Giving each server a name will help you and your clients communicate more effectively. If a client phones you up and says they’re on server 25 will you know which one that is? Instead of just using plain numbers have a bit of fun with it and try to keep the same category or theme type for your servers.

Server Name Suggestions
- Try to keep the names short so you can spell and remember them
- Don’t use any numbers with your server names
- Have some fun and be creative!

Here are a few suggestions!
- Animal names: eg hawk
- Planets eg: uranus, well maybe skip that one 
- Stars eg: theta or centaurus
- Greek history
- Simpson characters or TV shows
- Movie character names: eg: yoda or c3po
- Vegas hotel names
- Beer or wine

After you’ve associated a naming scheme to your servers use that as your main reference and get your clients in the habit of knowing which server they’re on. The best way to keep track of all your servers would be to setup a nice status report page for clients to see that have named / IP pairs and their online/offline status. Also let your clients know what server they’re on in their signup email.

Have fun and go make up some cool server names and share them with us!


 

  • Rating

    5/5

Related Articles

Comments (27)

  • Gravatar - Damian
    Damian 01:55, November 15, 2003
    I have follow your "how to" to install the chkrootkit however I cannot get the cron email work..

    No such file or directory...

    I follow exactly the steps you mentions and what is the right path for this?

    cd /yourinstallpath/chkrootkit-0.42b/
  • Gravatar - Edward
    Edward 22:16, November 25, 2003
    Love it :)
  • Gravatar - Coffeymate
    Coffeymate 16:08, December 8, 2003
    Thanks for such concise instructions here at webhostgear.

    Do you have a link for what to do if you find an infected port?

    I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port.

    What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this?

    Again, thanks for such an informative site!
  • Gravatar - alphonse
    alphonse 17:44, December 18, 2003
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening.
    As I have no rootkit installed, I don't know the outputs to look for...
  • Gravatar - tom
    tom 18:33, December 26, 2003
    Great work
  • Gravatar - mike
    mike 01:50, January 18, 2004
    latest version does not work using the above tutorial on cpanel RHE3 servers, runs ok manually but not from cron
  • Gravatar - Jeff Huckaby
    Jeff Huckaby 06:11, April 2, 2004
    Some notes:


    MD5SUMs
    You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit.


    A bit of a rant ....

    Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.
  • Gravatar - Mikey
    Mikey 08:20, June 9, 2004
    If anyone is interested this also works on a BSD box. I did have to go in and install bash but other than that...woks like a charm.

  • Gravatar - Daniel
    Daniel 18:58, July 1, 2004
    This is a great guide but I noticed a small error in your typing, might want to add an 'r' in the untar part of this guide. you are missing it for the file name.
  • Gravatar - Sun Joo
    Sun Joo 02:20, September 4, 2004
    This is a great one. Thanks a lot.
  • Gravatar - subrat
    subrat 14:20, December 6, 2004
    This is the redifining technique for scanning vulnerabilities of servers.
  • Gravatar - burke
    burke 21:30, May 25, 2005
    This simple script runs chkrootkit but mails only if INFECTED:<br />
    <br />
    #!/bin/bash<br />
    #<br />
    # Cron Script - run from /etc/crontab or place in cron.daily<br />
    #<br />
    # Runs chkrootkit and reports if infected files are found<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED\|Vulnerable" | \<br />
    fgrep -v "Checking \`bindshell'... INFECTED (PORTS: 365)"<br />
  • Gravatar - Norvin
    Norvin 14:44, August 21, 2005
    Hi, <br />
    <br />
    Good pice of kit however i am getting <br />
    Checking `bindshell'... INFECTED (PORTS: 31337)<br />
    <br />
    Would that be an error?<br />
    It is installed on a Raq4<br />
    Cheers
  • Gravatar - Pete
    Pete 14:03, October 14, 2005
    Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out.<br />
    <br />
    Thnks for you time<br />
    <br />
    Cheers
  • Gravatar - elian
    elian 13:46, October 24, 2005
    I have the same problem: <br />
    ----------------------------------------<br />
    <br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    <br />
    <br />
    ------------------------------------<br />
    what can i do?
  • Gravatar - dan
    dan 13:35, November 3, 2005
    <br />
    regarding the concern with the "INFECTED (PORTS: 31337)"<br />
    I believe this is a result of using PortSentry...<br />
    <br />
    there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry
  • Gravatar - Livio
    Livio 18:37, November 28, 2005
    Burke when I run your Script I get the following error:<br />
    ./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``'<br />
    ./chkrootkitliv.sh: line 10: syntax error: unexpected end of file<br />
    ---------------------------------------<br />
    What is wrong on the Line ?<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | <br />
    fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)"<br />
    ----------------------------------------<br />
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.
  • Gravatar - Livio
    Livio 00:22, December 2, 2005
    Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass.<br />
    <br />
    My 0.2 cents.<br />
    Livio.<br />
    <br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail<br />
    <br />
  • Gravatar - livio
    livio 03:36, December 2, 2005
    ooops. Here is the Script Fix (was missing :0 fBw at the beginning)<br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    :0 fBw <br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail
  • Gravatar - Rahul
    Rahul 22:56, August 15, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rahul
    Rahul 00:20, August 16, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rob Barclay
    Rob Barclay 11:55, August 16, 2006
    Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working) <br />
    <br />
    But excellently written guide thank you
  • Gravatar - irlamp
    irlamp 09:49, December 23, 2006
    Hello<br />
    <br />
    I have did and this is the result! what shoudl I do?<br />
    <br />
    [/etc/cron.daily]# ./chkrootkit.sh<br />
    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory<br />
    ./chkrootkit.sh: line 3: ./chkrootkit<br />
    <br />
    Thanks
  • Gravatar - Paul Johnson
    Paul Johnson 04:06, October 31, 2007
    irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    last bit is all on one line.<br />
    <br />
    Livio:<br />
    <br />
    I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted.<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    Last line is all one piece. <br />
  • Gravatar - Sushant
    Sushant 00:42, December 19, 2008
    I am getting same error..<br />
    <br />
    root@sushant [~]# cat chkrootkit.log<br />
    INFECTED (PORTS: 465)<br />
    <br />
    I have gone through this link..and it says same thing 'false positive' <br />
    <br />
    http://forums.theplanet.com/lofiversion/index.php/t29181.html<br />
    <br />
    What does it mean exactly by false positive ?<br />
  • Gravatar - Iamthatyouwant
    Iamthatyouwant 12:40, November 9, 2009
    Very usefull ;D thanks for all
  • Gravatar - Angelo
    Angelo 18:06, June 10, 2010
    I received the report email daily. But there is no message on the email.

    After I manually ran the test report (./chkrootkit.sh),

    I received a message on the CLI:

    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
    ./chkrootkit.sh: line 3: ./chkrootkit: No such file or directory
    Null message body; hope that's ok

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2016 WebHostGear.com