Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003

Rating

5/5

Every webmaster cringes at the thought of moving hosts. Like moving your home it can be messy and sometimes problems arise. But if you follow these simple steps, your move will be less painful.

Backup Backup Backup
If you've been diligent with your backups, you've got a lot of insurance to fall back on yet always make the latest backup. If you haven't, before you do anything else, do a backup now. Backup anything and everything you can and don't forget your database if your site relies on it. Save at least 2 copies and store them separately. One for you to work with, and the other as an archive. Do not underestimate how easy it is to copy over these files as you make changes or simply mess it up.

If you're moving to a host who has as different control panel, make a manual backup by downloading all your files because different control panels may not be able to restore the backups made by your old host. They also have different directory structures so your file trees will be in a mess. If you need to, make a small note file with notepad with memos for you to remember the old server configurations. This will help you as you make changes on your new host server and save the confusion moving back and forth between hosts. Remember to make the correct transfer type (ASCII or Binary) as you download. If your download is not right chances are you'll have a tough time getting your site to work on the new host server.

If server logs are especially important, remember to backup those too. There is no good way of moving logs yet because different hosts may log statistics differently. So the best thing to do is to download it and use a log analyzer on your computer to make references to later on.

Gather Odds and Ends

1. A Good FTP program which you should have by now

2. Get your new host server's DNS

3. It's also helpful to have a script that tells you the server environments installed on your new host server for quick references.

4. Get the temporary URL on your new host so you can check your site before you make a DNS change.

5. If you have your host control the domain inform them not to change your DNS until you tell them to.

6. If you run scripts: Get a copy of the original installation guide and the script. Sometimes after moving the scripts they just do not work right so you might need to install the script from scratch. Get a list of all the server paths such as Perl, Sendmail and home directory on your new server. If your script needs special server modules or programs ensure they are installed and where. Even though these might be covered before you ordered the account with the host but sometimes your host has removed it or haven't installed it yet.

Inform Your Visitors
It is common and good practice to inform your visitors and customers of the server move. If you run a e-store, this helps assure your customers you have not fled with their money if there is any downtime. Also give an alternate email so you won't lose emails in the transfer. You might also want to give periodic updates prior, during (if there is downtime) and after. If your site is large, doing this is helpful because your visitors can alert you whenever there is a part of the site not working.

Moving Day
Try to schedule the move at a time where there's least traffic. Backup again just before you do the move so you'll have the latest data. Start by first copying or creating your custom error pages onto the new host server. Put a small note in there about the move. You can always remove it later. Then upload the most visible parts of the site first i.e the main pages then move on to the less critical parts of the site. If you have a large site with many divisions you might want to split them across different days and instead move the least critical first. Just ensure you always do a backup before you do any moving. Use the temporary URL to check your site, visiting as many pages as you can.

Changing DNS
Once you're satisfied, change your DNS over. This typically takes about 24-48 hours so you have time to make some minor changes if need be. You might want to also take this time to modify your old site's error pages to inform your visitors of the move and give a new URL if there are URL changes. To help you determine if the DNS has resolved, make a small change on the new pages to differentiate between the old and the new.

Monitor
After you've moved and the DNS resolved, do not release the old account yet. Keep it as long as two weeks running concurrently. Go back and check the old servers for activity. Check your old email account and if you have a web based contact method on the old server check to see if any communication is left there. Once you're comfortable all email and traffic is correctly directed to the new host server, you can cancel that account.

Written By HostVoice.net - HostVoice is a free online service which brings hosting companies and consumers together. Submit a free request and receive offers within 15 minutes from qualifying hosts.

Rating

5/5

1 2 3 4 5

Rate it!

Comments (27)

Damian 01:55, November 15, 2003

I have follow your "how to" to install the chkrootkit however I cannot get the cron email work..

No such file or directory...

I follow exactly the steps you mentions and what is the right path for this?

cd /yourinstallpath/chkrootkit-0.42b/
Edward 22:16, November 25, 2003

Love it :)
Coffeymate 16:08, December 8, 2003

Thanks for such concise instructions here at webhostgear.

Do you have a link for what to do if you find an infected port?

I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port.

What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this?

Again, thanks for such an informative site!
alphonse 17:44, December 18, 2003

What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening.
As I have no rootkit installed, I don't know the outputs to look for...
tom 18:33, December 26, 2003

Great work
mike 01:50, January 18, 2004

latest version does not work using the above tutorial on cpanel RHE3 servers, runs ok manually but not from cron
Jeff Huckaby 06:11, April 2, 2004

Some notes:

MD5SUMs
You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit.

A bit of a rant ....

Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.
Mikey 08:20, June 9, 2004

If anyone is interested this also works on a BSD box. I did have to go in and install bash but other than that...woks like a charm.
Daniel 18:58, July 1, 2004

This is a great guide but I noticed a small error in your typing, might want to add an 'r' in the untar part of this guide. you are missing it for the file name.
Sun Joo 02:20, September 4, 2004

This is a great one. Thanks a lot.
subrat 14:20, December 6, 2004

This is the redifining technique for scanning vulnerabilities of servers.
burke 21:30, May 25, 2005

This simple script runs chkrootkit but mails only if INFECTED: 
 
#!/bin/bash 
# 
# Cron Script - run from /etc/crontab or place in cron.daily 
# 
# Runs chkrootkit and reports if infected files are found 
 
cd /usr/local/src/chkrootkit 
./chkrootkit 2>&1 | grep "INFECTED\|Vulnerable" | \ 
fgrep -v "Checking \`bindshell'... INFECTED (PORTS: 365)"
Norvin 14:44, August 21, 2005

Hi, 
 
Good pice of kit however i am getting 
Checking `bindshell'... INFECTED (PORTS: 31337) 
 
Would that be an error? 
It is installed on a Raq4 
Cheers
Pete 14:03, October 14, 2005

Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out. 
 
Thnks for you time 
 
Cheers
elian 13:46, October 24, 2005

I have the same problem: 
---------------------------------------- 
 
Checking `bindshell'... INFECTED (PORTS: 465) 
 
 
------------------------------------ 
what can i do?
dan 13:35, November 3, 2005

 
regarding the concern with the "INFECTED (PORTS: 31337)" 
I believe this is a result of using PortSentry... 
 
there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry
Livio 18:37, November 28, 2005

Burke when I run your Script I get the following error: 
./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``' 
./chkrootkitliv.sh: line 10: syntax error: unexpected end of file 
--------------------------------------- 
What is wrong on the Line ? 
 
cd /usr/local/src/chkrootkit 
./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | 
fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)" 
---------------------------------------- 
What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.
Livio 00:22, December 2, 2005

Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass. 
 
My 0.2 cents. 
Livio. 
 
 
# To Delete false positive Infected Port 465 from my Exim SSL SMTP 
* ^From:.*root@myserver.com 
* ^Subject: chkrootkit output 
| sed -e '/INFECTED (PORTS: 465)/d' 
 
# To delete emails with not Important Information (Same every Day) 
:0 
* ^From:.*root@myserver.com 
* ^Subject: chkrootkit output 
{ 
# Note the :0BD: means Case Sensitive search the body of the e-mail 
:0BD: 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
:0 
* ^From:.*root@myserver.com 
* ^Subject: rkhunter Daily Run 
{ 
:0B 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
 
:0 
* ^To: .*myemail@@myserver.com 
/home/mydomain/mail/myemail
livio 03:36, December 2, 2005

ooops. Here is the Script Fix (was missing :0 fBw at the beginning) 
 
# To Delete false positive Infected Port 465 from my Exim SSL SMTP 
:0 fBw 
* ^From:.*root@myserver.com 
* ^Subject: chkrootkit output 
| sed -e '/INFECTED (PORTS: 465)/d' 
 
# To delete emails with not Important Information (Same every Day) 
:0 
* ^From:.*root@myserver.com 
* ^Subject: chkrootkit output 
{ 
# Note the :0BD: means Case Sensitive search the body of the e-mail 
:0BD: 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
:0 
* ^From:.*root@myserver.com 
* ^Subject: rkhunter Daily Run 
{ 
:0B 
*! (INFECTED|Vulnerable) 
/dev/null 
} 
 
 
:0 
* ^To: .*myemail@@myserver.com 
/home/mydomain/mail/myemail
Rahul 22:56, August 15, 2006

Am also getting same error is that ok 
 
Checking `asp'... not infected 
Checking `bindshell'... INFECTED (PORTS: 465) 
Checking `lkm'... You have 1 process hidden for readdir command 
You have 1 process hidden for ps command 
Warning: Possible LKM Trojan installed
Rahul 00:20, August 16, 2006

Am also getting same error is that ok 
 
Checking `asp'... not infected 
Checking `bindshell'... INFECTED (PORTS: 465) 
Checking `lkm'... You have 1 process hidden for readdir command 
You have 1 process hidden for ps command 
Warning: Possible LKM Trojan installed
Rob Barclay 11:55, August 16, 2006

Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working) 
 
But excellently written guide thank you
irlamp 09:49, December 23, 2006

Hello 
 
I have did and this is the result! what shoudl I do? 
 
[/etc/cron.daily]# ./chkrootkit.sh 
./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory 
./chkrootkit.sh: line 3: ./chkrootkit 
 
Thanks
Paul Johnson 04:06, October 31, 2007

irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin 
 
#!/bin/bash 
cd /usr/bin 
./chkrootkit | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org 
 
last bit is all on one line. 
 
Livio: 
 
I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted. 
 
#!/bin/bash 
cd /usr/bin 
./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org 
 
Last line is all one piece.
Sushant 00:42, December 19, 2008

I am getting same error.. 
 
root@sushant [~]# cat chkrootkit.log 
INFECTED (PORTS: 465) 
 
I have gone through this link..and it says same thing 'false positive' 
 
http://forums.theplanet.com/lofiversion/index.php/t29181.html 
 
What does it mean exactly by false positive ?
Iamthatyouwant 12:40, November 9, 2009

Very usefull ;D thanks for all
Angelo 18:06, June 10, 2010

I received the report email daily. But there is no message on the email.

After I manually ran the test report (./chkrootkit.sh),

I received a message on the CLI:

./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
./chkrootkit.sh: line 3: ./chkrootkit: No such file or directory
Null message body; hope that's ok

Best-Selling Hosting

Top Rated Providers

Editors Pick

Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003

Rating

5/5

Rating

Rating

Rate it!

Related Articles

Comments (27)

Add Your Thoughts

Best-Selling Hosting

Top Rated Providers

Editors Pick

Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003 Rating 5/5

Rating

Rating

Rate it!

Related Articles

Comments (27)

Add Your Thoughts

Guide to Chkrootkit - checking for intruders Published: Oct 31, 2003

Rating

5/5