Difference between revisions of "Chkrootkit"
(→See also) |
(→External links) |
||
| Line 39: | Line 39: | ||
==External links== | ==External links== | ||
* [http://www.chkrootkit.org/ Official website] | * [http://www.chkrootkit.org/ Official website] | ||
| + | * [https://community.rackspace.com/general/f/34/t/75 Investigating Compromised Servers] | ||
[[Category:Linux Command Line Tools]] | [[Category:Linux Command Line Tools]] | ||
Latest revision as of 11:03, 13 August 2014
This article will explain how to scan for rootkits with chkrootkit. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Contents
Installing chkrootkit
$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz $ wget http://www.reznor.com/tools/chkrootkit.md5 $ md5sum chkrootkit.tar.gz
Make sure the md5sum matches chkrootkit.md5.
$ tar xvfz chkrootkit.tar.gz $ cd chkrootkit-0.47 $ make sense
Note: If that `make sense` command returns something like "/usr/bin/ld: cannot find -lc", you need to have the glibc-static package installed on your machine.
Running chkrootkit
Now that you have it installed on your machine, the easiest way to scan your machine for rootkits is like so:
sudo ./chkrootkit
Check for any warning messages.
Automate the scan
To automate this task with a cron job, enter the root crontab configuration:
sudo crontab -e
The recommended method (from the chkrootkit website) is as follows:
0 3 * * * (cd /home/demo/sources/chkrootkit-0.49; ./chkrootkit 2>&1 | mail -s "chkrootkit output" admin@yourdomain.com)
That will run the command at 3am every day and, providing you have `mail` installed and configured, email the results to the specified address.
See also
- rkhunter
- maldet
