Chkrootkit

From Christoph's Personal Wiki
Jump to: navigation, search

This article will explain how to scan for rootkits with chkrootkit. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

Installing chkrootkit

$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
$ wget http://www.reznor.com/tools/chkrootkit.md5
$ md5sum chkrootkit.tar.gz

Make sure the md5sum matches chkrootkit.md5.

$ tar xvfz chkrootkit.tar.gz
$ cd chkrootkit-0.47
$ make sense

Note: If that `make sense` command returns something like "/usr/bin/ld: cannot find -lc", you need to have the glibc-static package installed on your machine.

Running chkrootkit

Now that you have it installed on your machine, the easiest way to scan your machine for rootkits is like so:

sudo ./chkrootkit

Check for any warning messages.

Automate the scan

To automate this task with a cron job, enter the root crontab configuration:

sudo crontab -e

The recommended method (from the chkrootkit website) is as follows:

0 3 * * * (cd /home/demo/sources/chkrootkit-0.49; ./chkrootkit 2>&1 | mail -s "chkrootkit output" admin@yourdomain.com)

That will run the command at 3am every day and, providing you have `mail` installed and configured, email the results to the specified address.

See also

External links