Chkrootkit
This article will explain how to scan for rootkits with chkrootkit. A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.
Contents
Installing chkrootkit
$ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz $ wget http://www.reznor.com/tools/chkrootkit.md5 $ md5sum chkrootkit.tar.gz
Make sure the md5sum matches chkrootkit.md5.
$ tar xvfz chkrootkit.tar.gz $ cd chkrootkit-0.47 $ make sense
Note: If that `make sense` command returns something like "/usr/bin/ld: cannot find -lc", you need to have the glibc-static package installed on your machine.
Running chkrootkit
Now that you have it installed on your machine, the easiest way to scan your machine for rootkits is like so:
sudo ./chkrootkit
Check for any warning messages.
Automate the scan
To automate this task with a cron job, enter the root crontab configuration:
sudo crontab -e
The recommended method (from the chkrootkit website) is as follows:
0 3 * * * (cd /home/demo/sources/chkrootkit-0.49; ./chkrootkit 2>&1 | mail -s "chkrootkit output" admin@yourdomain.com)
That will run the command at 3am every day and, providing you have `mail` installed and configured, email the results to the specified address.
