Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003
  • Rating

    5/5

Perhaps you are wondering what dedicated servers are for, and whether you need one. Or perhaps you already know you need a dedicated server, but are stuck when it comes to choosing a host. Whichever way, here are a few guidelines that may help you in maki

Do you need a Dedicated Server?

Perhaps you are wondering what dedicated servers are for, and whether you need one. Or perhaps you already know you need a dedicated server, but are stuck when it comes to choosing a host.

Whichever way, here are a few guidelines that may help you in making your decisions:

1. Do you need a Dedicated Server?
When renting server space from a host, you basically have two options - to rent shared server space or to rent a dedicated server. With a shared hosting arrangement (often referred to as 'virtual hosting'), your web-site shares server space with other web-sites. If you rent a dedicated server, on the other hand, you get an entire server and network connection to yourself.

Shared servers are less costly to rent than dedicated servers. They usually require a lower level of technical skills too, because the host does most of the server administration. This is why shared servers are usually the best choice for entry-level web-sites or for small businesses whose web-sites do not have high traffic levels.

While shared servers are the most cost-effective option for small web-sites, they are not necessarily a good option for large, "mission-critical" or high-traffic web-sites. For these a dedicated server may well be necessary.

Dedicated servers are more expensive to rent than shared servers, and they also require a higher level of technical skill to operate. However, if you are making thousands of $$ a day from e-commerce and your business would fail if the server went down for a day or more, then you should seriously consider renting a dedicated server. Here's why:

Server Response Times and Site Traffic Management
The server response times on a shared hosting arrangement depend on what is happening with the other sites hosted on the server. Your own server response time will be affected by service interruptions on another site - for instance, if another site suddenly receives an unexpectedly high level of traffic. These interruptions will be outside your control on a shared server. With a dedicated server, on the other hand, you alone are responsible for managing, and planning for, traffic levels and other events that may affect server response times.

Flexibility and Software
With shared servers, you will have limited access to the operating system, and software applications will be limited to those, which are provided by the host. If you want to be able to install run your own advanced, customised ecommerce or database applications you will probably need a dedicated server.

Scalability
As your site grows, your traffic grows and your applications become more demanding, you will need to upgrade your server. If you are using a shared server, your upgrade options will be limited. Your host will usually allow you to increase the amount of disk space available to your site -- but that is all. You will not be able to upgrade the hard drive, Ram processors, platform or software applications yourself. When you are using a dedicated server, you can do all of these things.

Security
Information on a shared server is likely to be less secure than information on a dedicated server. A dedicated server can also be provided with its own firewall. If you are storing highly sensitive information on your server, this increased security will obviously be a high priority.
[pagebreak title='Choosing a Dedicated Server Host']
2. Choosing a Dedicated Server Host
So, assuming you really do need a dedicated server, how then do you go about choosing the right host? Here are a few of the factors you will need to consider in making this choice.

Platform
Obviously, your choice of platform will depend to a large extent on the types of applications you are using and the skills and knowledge you already possess. The two most well known operating systems are Windows NT and Unix (which includes the Linux, and Solaris platforms). Windows NT, the more expensive option is regarded as the most user friendly and easiest to install, especially for those who use Windows on their PCs. Unix is cheaper, but there is usually a much steeper learning curve for those who are not familiar with the more arcane Unix environment.

Data Transfer
Most dedicated server providers will allow you to choose your level of data transfer, usually in gigabytes per month. Usually, you will be paying for this, so you do not want to purchase more data transfer than is realistically needed. This can always be increased as needed.

Data Backup
If you run a site, which is constantly being updated, you will need to back it up frequently. This can be a hassle. Many dedicated hosting providers will provide a back up service for you - usually for an added fee, but the convenience may be worth it.

Monitoring
Your server will need to be monitored constantly to prevent service interruptions. Check to see that your host can provide such monitoring, and how frequently it is done (eg every 5 mins), and what measures they use to deal with problems, which are detected.

Automation
As mentioned, running a dedicated server does usually require a greater level of technical knowledge than shared hosting. However, those who lack technical expertise may still be able to operate a dedicated server --- if the host offers some form of web-based automation to simplify the process of managing a server. Check to see if your host can offer such automation (if you think you may need it).

  • Rating

    5/5

Related Articles

Comments (27)

  • Gravatar - Damian
    Damian 01:55, November 15, 2003
    I have follow your "how to" to install the chkrootkit however I cannot get the cron email work..

    No such file or directory...

    I follow exactly the steps you mentions and what is the right path for this?

    cd /yourinstallpath/chkrootkit-0.42b/
  • Gravatar - Edward
    Edward 22:16, November 25, 2003
    Love it :)
  • Gravatar - Coffeymate
    Coffeymate 16:08, December 8, 2003
    Thanks for such concise instructions here at webhostgear.

    Do you have a link for what to do if you find an infected port?

    I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port.

    What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this?

    Again, thanks for such an informative site!
  • Gravatar - alphonse
    alphonse 17:44, December 18, 2003
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening.
    As I have no rootkit installed, I don't know the outputs to look for...
  • Gravatar - tom
    tom 18:33, December 26, 2003
    Great work
  • Gravatar - mike
    mike 01:50, January 18, 2004
    latest version does not work using the above tutorial on cpanel RHE3 servers, runs ok manually but not from cron
  • Gravatar - Jeff Huckaby
    Jeff Huckaby 06:11, April 2, 2004
    Some notes:


    MD5SUMs
    You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit.


    A bit of a rant ....

    Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.
  • Gravatar - Mikey
    Mikey 08:20, June 9, 2004
    If anyone is interested this also works on a BSD box. I did have to go in and install bash but other than that...woks like a charm.

  • Gravatar - Daniel
    Daniel 18:58, July 1, 2004
    This is a great guide but I noticed a small error in your typing, might want to add an 'r' in the untar part of this guide. you are missing it for the file name.
  • Gravatar - Sun Joo
    Sun Joo 02:20, September 4, 2004
    This is a great one. Thanks a lot.
  • Gravatar - subrat
    subrat 14:20, December 6, 2004
    This is the redifining technique for scanning vulnerabilities of servers.
  • Gravatar - burke
    burke 21:30, May 25, 2005
    This simple script runs chkrootkit but mails only if INFECTED:<br />
    <br />
    #!/bin/bash<br />
    #<br />
    # Cron Script - run from /etc/crontab or place in cron.daily<br />
    #<br />
    # Runs chkrootkit and reports if infected files are found<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED\|Vulnerable" | \<br />
    fgrep -v "Checking \`bindshell'... INFECTED (PORTS: 365)"<br />
  • Gravatar - Norvin
    Norvin 14:44, August 21, 2005
    Hi, <br />
    <br />
    Good pice of kit however i am getting <br />
    Checking `bindshell'... INFECTED (PORTS: 31337)<br />
    <br />
    Would that be an error?<br />
    It is installed on a Raq4<br />
    Cheers
  • Gravatar - Pete
    Pete 14:03, October 14, 2005
    Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out.<br />
    <br />
    Thnks for you time<br />
    <br />
    Cheers
  • Gravatar - elian
    elian 13:46, October 24, 2005
    I have the same problem: <br />
    ----------------------------------------<br />
    <br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    <br />
    <br />
    ------------------------------------<br />
    what can i do?
  • Gravatar - dan
    dan 13:35, November 3, 2005
    <br />
    regarding the concern with the "INFECTED (PORTS: 31337)"<br />
    I believe this is a result of using PortSentry...<br />
    <br />
    there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry
  • Gravatar - Livio
    Livio 18:37, November 28, 2005
    Burke when I run your Script I get the following error:<br />
    ./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``'<br />
    ./chkrootkitliv.sh: line 10: syntax error: unexpected end of file<br />
    ---------------------------------------<br />
    What is wrong on the Line ?<br />
    <br />
    cd /usr/local/src/chkrootkit<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | <br />
    fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)"<br />
    ----------------------------------------<br />
    What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.
  • Gravatar - Livio
    Livio 00:22, December 2, 2005
    Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass.<br />
    <br />
    My 0.2 cents.<br />
    Livio.<br />
    <br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail<br />
    <br />
  • Gravatar - livio
    livio 03:36, December 2, 2005
    ooops. Here is the Script Fix (was missing :0 fBw at the beginning)<br />
    <br />
    # To Delete false positive Infected Port 465 from my Exim SSL SMTP<br />
    :0 fBw <br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    | sed -e '/INFECTED (PORTS: 465)/d'<br />
    <br />
    # To delete emails with not Important Information (Same every Day)<br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: chkrootkit output<br />
    {<br />
    # Note the :0BD: means Case Sensitive search the body of the e-mail<br />
    :0BD:<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    :0<br />
    * ^From:.*root@myserver.com<br />
    * ^Subject: rkhunter Daily Run<br />
    {<br />
    :0B<br />
    *! (INFECTED|Vulnerable)<br />
    /dev/null<br />
    }<br />
    <br />
    <br />
    :0<br />
    * ^To: .*myemail@@myserver.com<br />
    /home/mydomain/mail/myemail
  • Gravatar - Rahul
    Rahul 22:56, August 15, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rahul
    Rahul 00:20, August 16, 2006
    Am also getting same error is that ok <br />
    <br />
    Checking `asp'... not infected<br />
    Checking `bindshell'... INFECTED (PORTS: 465)<br />
    Checking `lkm'... You have 1 process hidden for readdir command<br />
    You have 1 process hidden for ps command<br />
    Warning: Possible LKM Trojan installed
  • Gravatar - Rob Barclay
    Rob Barclay 11:55, August 16, 2006
    Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working) <br />
    <br />
    But excellently written guide thank you
  • Gravatar - irlamp
    irlamp 09:49, December 23, 2006
    Hello<br />
    <br />
    I have did and this is the result! what shoudl I do?<br />
    <br />
    [/etc/cron.daily]# ./chkrootkit.sh<br />
    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory<br />
    ./chkrootkit.sh: line 3: ./chkrootkit<br />
    <br />
    Thanks
  • Gravatar - Paul Johnson
    Paul Johnson 04:06, October 31, 2007
    irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    last bit is all on one line.<br />
    <br />
    Livio:<br />
    <br />
    I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted.<br />
    <br />
    #!/bin/bash<br />
    cd /usr/bin<br />
    ./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org<br />
    <br />
    Last line is all one piece. <br />
  • Gravatar - Sushant
    Sushant 00:42, December 19, 2008
    I am getting same error..<br />
    <br />
    root@sushant [~]# cat chkrootkit.log<br />
    INFECTED (PORTS: 465)<br />
    <br />
    I have gone through this link..and it says same thing 'false positive' <br />
    <br />
    http://forums.theplanet.com/lofiversion/index.php/t29181.html<br />
    <br />
    What does it mean exactly by false positive ?<br />
  • Gravatar - Iamthatyouwant
    Iamthatyouwant 12:40, November 9, 2009
    Very usefull ;D thanks for all
  • Gravatar - Angelo
    Angelo 18:06, June 10, 2010
    I received the report email daily. But there is no message on the email.

    After I manually ran the test report (./chkrootkit.sh),

    I received a message on the CLI:

    ./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
    ./chkrootkit.sh: line 3: ./chkrootkit: No such file or directory
    Null message body; hope that's ok

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2014 WebHostGear.com