Difference between revisions of "Chkrootkit"
(New page: This article will explain how to scan for rootkits with <code>chkrootkit</code>. A rootkit is a stealthy type of software, typically malicious, designed to hide the ...) |
(No difference)
|
Revision as of 09:00, 11 November 2013
This article will explain how to scan for rootkits with chkrootkit
. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Contents
Installing chkrootkit
$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz $ wget http://www.reznor.com/tools/chkrootkit.md5 $ md5sum chkrootkit.tar.gz
Make sure the md5sum
matches chkrootkit.md5
.
$ tar xvfz chkrootkit.tar.gz $ cd chkrootkit-0.47 $ make sense
Note: If that `make sense`
command returns something like "/usr/bin/ld: cannot find -lc
", you need to have the glibc-static
package installed on your machine.
Running chkrootkit
Now that you have it installed on your machine, the easiest way to scan your machine for rootkits is like so:
sudo ./chkrootkit
Check for any warning messages.
Automate the scan
To automate this task with a cron job, enter the root crontab configuration:
sudo crontab -e
The recommended method (from the chkrootkit website) is as follows:
0 3 * * * (cd /home/demo/sources/chkrootkit-0.49; ./chkrootkit 2>&1 | mail -s "chkrootkit output" admin@yourdomain.com)
That will run the command at 3am every day and, providing you have `mail`
installed and configured, email the results to the specified address.