Guide to Chkrootkit - checking for intruders

Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

Installing CHKROOTKIT

Version 0.42b (Sept. 20 2003)

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

#Change to root
su -

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

Article provided by WebHostGear.com

Important Note: If you see 'Checking `bindshell'... INFECTED (PORTS: 465)' read on.
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

Article provided by WebHostGear.com

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

Important:
1. Replace 'yourinstallpath' with the actual path to where you unpacked Chkrootkit.
2. Change 'Servername' to the server your running so you know where it's coming from.
3. Change 'admin@youremail.com' to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

./chkrootkit.sh

You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.

New! - Need server help? Hire an Expert

Discuss this article with others in our new hosting forums

Comments / Feedback

Livio
Burke when I run your Script I get the following error:
./chkrootkitliv.sh: line 8: unexpected EOF while looking for matching ``'
./chkrootkitliv.sh: line 10: syntax error: unexpected end of file
---------------------------------------
What is wrong on the Line ?

cd /usr/local/src/chkrootkit
./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" |
fgrep -v "Checking `bindshell'... INFECTED (PORTS: 465)"
----------------------------------------
What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening and discharge the port 465 error. I know 465 is my Secure SMTP on Exim.

Livio
Here is my procmail Script to filter the e-mails received from Crontab. With this filter I will only receive important e-mails from chkrootkit and rkhunter eliminating the daily false positive reports. Only emails with Important information will be allow to pass.

My 0.2 cents.
Livio.

# To Delete false positive Infected Port 465 from my Exim SSL SMTP
* ^From:.*root@myserver.com
* ^Subject: chkrootkit output
| sed -e '/INFECTED (PORTS: 465)/d'

# To delete emails with not Important Information (Same every Day)
:0
* ^From:.*root@myserver.com
* ^Subject: chkrootkit output
{
# Note the :0BD: means Case Sensitive search the body of the e-mail
:0BD:
*! (INFECTED|Vulnerable)
/dev/null
}

:0
* ^From:.*root@myserver.com
* ^Subject: rkhunter Daily Run
{
:0B
*! (INFECTED|Vulnerable)
/dev/null
}

:0
* ^To: .*myemail@@myserver.com
/home/mydomain/mail/myemail

livio
ooops. Here is the Script Fix (was missing :0 fBw at the beginning)

# To Delete false positive Infected Port 465 from my Exim SSL SMTP
:0 fBw
* ^From:.*root@myserver.com
* ^Subject: chkrootkit output
| sed -e '/INFECTED (PORTS: 465)/d'

# To delete emails with not Important Information (Same every Day)
:0
* ^From:.*root@myserver.com
* ^Subject: chkrootkit output
{
# Note the :0BD: means Case Sensitive search the body of the e-mail
:0BD:
*! (INFECTED|Vulnerable)
/dev/null
}

:0
* ^From:.*root@myserver.com
* ^Subject: rkhunter Daily Run
{
:0B
*! (INFECTED|Vulnerable)
/dev/null
}

:0
* ^To: .*myemail@@myserver.com
/home/mydomain/mail/myemail

Paul Johnson
irlamp: change the path to match the actual location. Here's my script example. The thing is installed in /usr/bin

#!/bin/bash
cd /usr/bin
./chkrootkit | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org

last bit is all on one line.

Livio:

I got that error too. It happens because a single quote mark gets "turned" into an accent when you copy out of the email. Here's my program that does work, as far as I can tell. There is no error, anyway. All I did was change the ` to '. That is, the single quotes should be vertical, not slanted.

#!/bin/bash
cd /usr/bin
./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" | fgrep -v "Checking 'bindshell'... INFECTED (PORTS: 365)" | mail -s "Daily chkrootkit from laptop" pauljohn32@freefaculty.org

Last line is all one piece.

Web Hosting News

WebHostGear Hire an Expert - NEW!
Let us improve your servers performance, find that spammer and take care of that kernel upgrade. Hire us to help with any tutorials listed on the site or any other services needed. Get your free, NO obligation quote now

Our site offers free hosting tutorials, cpanel tutorial, web hosting news, shell commands, running a web hosting business, dedicated guides, linux tutorial, apache install, home web server, web server guide, ssh commands, dedicated servers, DNS nameservers, chkrootkit, apf firewall, exim configuration, server compromised, cron backup solution, ftp backup script

Damian
I have follow your "how to" to install the chkrootkit however I cannot get the cron email work.. No such file or directory... I follow exactly the steps you mentions and what is the right path for this? cd /yourinstallpath/chkrootkit-0.42b/

Coffeymate
Thanks for such concise instructions here at webhostgear. Do you have a link for what to do if you find an infected port? I'm getting bindshell infected port 465 on my new server acquired in the past couple days after installing chkroot. I removed the .gz file but still get the same notice of 465 infected port. What do you suggest? Can you at least point me in the direction of a "how to" in the event of problems like this? Again, thanks for such an informative site!

alphonse
What I'd like is a script that parses the chkrootkit output in order to email me ONLY if there is something strange happening. As I have no rootkit installed, I don't know the outputs to look for...

Jeff Huckaby
Some notes: MD5SUMs You should always check md5sum's on software like chkrootkit. What would be worse than to check a problem and find out you installed a trojan chkrootkit. A bit of a rant .... Running chkrootkit from cron.daily is not very useful. By the time you know anything has been changed, it is too late. Chkrootkit is not intended to be a file integrity system. Chkrootkit is great for a quick check when you suspect a problem but it is not a file-integrity system like tripwire, aide or one of a number of host based IDS programs.

burke
This simple script runs chkrootkit but mails only if INFECTED:

#!/bin/bash
#
# Cron Script - run from /etc/crontab or place in cron.daily
#
# Runs chkrootkit and reports if infected files are found

cd /usr/local/src/chkrootkit
./chkrootkit 2>&1 | grep "INFECTED|Vulnerable" |
fgrep -v "Checking `bindshell'... INFECTED (PORTS: 365)"

Pete
Very concise instructions, thank you for spelling it out. I'm sure most of us could have fudged through the install, but it's so much nicer to have it spelled out.

Thnks for you time

Cheers

dan

regarding the concern with the "INFECTED (PORTS: 31337)"
I believe this is a result of using PortSentry...

there's a reference to this at: http://www.howtoforge.com/howto_chkrootkit_portsentry

Rahul
Am also getting same error is that ok

Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

Rob Barclay
Spot on article, helped me loads (just need to add my version was chkrootkit-0.46a) so took me a little while to work out why the daily cron wasnt working)

But excellently written guide thank you

irlamp
Hello

I have did and this is the result! what shoudl I do?

[/etc/cron.daily]# ./chkrootkit.sh
./chkrootkit.sh: line 2: cd: /chkrootkit-0.42b/: No such file or directory
./chkrootkit.sh: line 3: ./chkrootkit

Thanks

Guide to Chkrootkit - checking for intruders

New! - Need server help? Hire an Expert

Related Articles

Web Hosting News