Centeros installation Chkrootkit

Chkrootkit is a tool for checking rootkit traces on a local system, which is a shell script that checks if the system binaries are modified by a rootkit virus.

(1) Centeros installation Chkrootkit

Installing the GCC compilation environment yum install GCC gcc-c++ make-y

Installing chkrootkit.tar.gz

Perform after decompression

#make Sense

Common Error during installation

#make Sense

Cc-dhave_lastlog_h-o Chklastlog chklastlog.c

Cc-dhave_lastlog_h-o chkwtmp chkwtmp.c

Cc-dhave_lastlog_h-d_file_offset_bits=64-o Ifpromisc IFPROMISC.C

Cc-o Chkproc CHKPROC.C

Cc-o Chkdirs CHKDIRS.C

Cc-o check_wtmpx check_wtmpx.c

Cc-static-o strings-static STRINGS.C

/usr/bin/ld:cannot FIND-LC

Collect2:ld returned 1 exit status

Make: * * * [strings-static] Error 1

# yum Install glibc-static

# Make Clean

#./chkrootkit-v

Execute the chkrootkit command directly

#./chkrootkit

Chkrootkit will scan important files in the system.

Here is the Official document:

1. What ' s chkrootkit?
---------------------

Chkrootkit is a tool to locally check for signs of a rootkit. It
Contains

* chkrootkit:a shell script, checks system binaries for
Rootkit modification.

* Ifpromisc.c:checks If the network interface is in promiscuous
Mode.

* Chklastlog.c:checks for Lastlog deletions.

* Chkwtmp.c:checks for wtmp deletions.

* Check_wtmpx.c:checks for wtmpx deletions. (Solaris only)

* Chkproc.c:checks for signs of LKM Trojans.

* Chkdirs.c:checks for signs of LKM Trojans.

* Strings.c:quick and dirty strings replacement.

* Chkutmp.c:checks for utmp deletions.

Chkwtmp and Chklastlog *try* to check for deleted entries in the Wtmp
and Lastlog files, but it's *not* guaranteed that any modification
would be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks
For some default file locations--so it's also not guaranteed it
Would succeed in all cases.

Chkproc checks If/proc entries is hidden from PS and the Readdir
System call.  This could is the indication of a LKM Trojan. You can
Also run this command with THE-V option (verbose).


2. Rootkits, Worms and lkms detected
------------------------------------

For a updated list of rootkits, worms and lkms detected by
Chkrootkit visit:http://www.chkrootkit.org/


3. Supported Systems
--------------------

Chkrootkit has been tested On:linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x, NetBSD
1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX One, Tru64, BSDI and Mac
OS X.


4. Package Contents
-------------------

Readme
Readme.chklastlog
Readme.chkwtmp
COPYRIGHT
Chkrootkit.lsm

Makefile
Chklastlog.c
Chkproc.c
Chkdirs.c
Chkwtmp.c
Check_wtmpx.c
Ifpromisc.c
Strings.c
Chkutmp.c

Chkrootkit


5. Installation
---------------

To compile the C programs type:

# make sense

After the It is the ready-to-use and you can simply type:

#./chkrootkit


6. Usage
--------

Chkrootkit must run as root. The simplest is:

#./chkrootkit

This would perform all tests. You can also specify only the tests you
Want, as shown below:

Usage:./chkrootkit [Options] [testname ...]
Options:
-H Show this help and exit
-V Show version information and exit
-L Show Available tests
-D Debug
-Q Quiet mode
-X Expert Mode
-R dir use dir as the root directory
-P Dir1:dir2:dirN path for the external commands used by Chkrootkit
-N-Skip NFS mounted dirs

Where TestName stands for one or more from the following list:

Aliens ASP Bindshell lkm Rexedcs sniffer w55808 wted scalper slapper
Z2 chkutmp amd basename Biff Chfn chsh cron crontab date du dirname
Echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
inetdconf identd init killall ldsopreload login ls lsof mail mingetty
Netstat named passwd pidof pop2 POP3 PS pstree rpcinfo rlogind rshd
Slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
Traceroute VDir W Write

For example, the following command checks for trojaned PS and LS
Binaries and also checks if the network interface is in promiscuous
Mode.

#./chkrootkit PS ls Sniffer

The '-q ' option can be used into put Chkrootkit in quiet mode-in
This mode is output messages with ' infected ' status is shown.

With the '-X ' option the user can examine suspicious strings in the
Binary programs that could indicate a Trojan--all the
Left to the user.

Lots of data can seen with:

#./chkrootkit-x | More

Pathnames Inside system Commands:

#./chkrootkit-x | Egrep ' ^/'

Chkrootkit uses the following commands to make its tests:awk, cut,
Egrep, find, head, ID, ls, netstat, PS, strings, sed, uname. It is
Possible, with the '-P ' option, to supply a alternate path to
Chkrootkit so it won ' t use the system ' s (possibly) compromised
Binaries to make its tests.

To use, for example, binaries In/cdrom/bin:

#./chkrootkit-p/cdrom/bin

It is possible to add more paths with a ': '

#./chkrootkit-p/cdrom/bin:/floppy/mybin

Sometimes is a good idea to mount the disk from a compromised machine
On a machine you trust. Just mount the disk and specify a new
RootDir with the '-r ' option.

For example, suppose the disk of want to check is mounted under
/mnt, then:

#./chkrootkit-r/mnt


7. Output Messages
------------------

The following messages is printed by Chkrootkit (except with The-x
AND-Q command Options) during its tests:

"Infected": the test had identified a command probably modified by
a known rootkit;

"Not infected": the test didn ' t find any known rootkit signature.

"Not tested": The test is not a performed--this could happen in
The following situations:
A) The test is OS specific;
b) The test depends on a external program, which is not available;
c) Some specific command line options is given. (e.g.-R).

' Not found ': the command to being tested is not available;

"Vulnerable but disabled": the command was infected but not on use.
(not running or commented in inetd.conf)


8. A trojaned command has been found. What should I?
------------------------------------------------------------

Your biggest problem is this Your machine has been compromised and
This bad guy has root privileges.

Maybe can solve the problem by just replacing the trojaned
Command-The best-of-the-reinstall the machine from a safe media
and to follow your vendor ' s security recommendations.


9. Reports and questions
------------------------

Please send comments, questions and bugs reports to
[Email protected] and [email protected]

A Simple FAQ and related information about rootkits and security can
be found at Chkrootkit ' s homepage, http://www.chkrootkit.org.


Ten. Acknowledgments
-------------------

See the acknowledgments file.

ChangeLog.
-------------

Centeros installation Chkrootkit