(866) 366-3640 - support@sagonet.com
Sago Logo
Banner

   
Log in / create account Page Discussion History Go to the site toolbox
Checking for rootkits

Chkrootkit website

Chkrootkit is a must when acting as an adminstrator of a Linux server. If there was ever a program that gave you some peace of mind to know that your server is currently "un-hacked", then this is the one.

What is chkrootkit?

chkrootkit looks for known "signatures" in trojaned system binaries.

Can I run chkrootkit from cron?

Yes. For example, to run chkrootkit every day at 3am and mail the output to root: 0 3 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)

Default How To Install Chkrootkit Summary This article describes how to install, and configure the chkrootkit program. Background

chkrootkit is a tool to locally check for signs of a rootkit. For more

information regarding this tool, visit http://www.chkrootkit.org/ More information

1. SSH to your server as the root superuser.

2. Next, we will download the chkrootkit program to /usr/src, and then untar it.

In shell, type in the following commands:

Quote:

cd /usr/src

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

tar zxvf chkrootkit.tar.gz

cd chkrootkit-0.48

make sense


That’s it! To run the chkrootkit, in shell type: ./chkrootkit

NOTE

This is from: http://www.webhostgear.com/25.html

Important Note:

If you see 'Checking `bindshell'... INFECTED (PORTS: 465)' read on. I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).


Additional information

If you wish to run chkrootkit on a daily basis, and allow it to send out a

report via email, follow these steps:


Quote:

cd /etc/cron.daily

touch chkrootkit.cron

Next, use your favorite text editor, and add the following text to the

chkrootkit.cron file.


Quote:

  1. !/bin/bash

cd /usr/src/chkrootkit-0.48/

./chkrootkit 2>&1 | mail –s “chkrootkit daily report” username@yourdomain.com


Note: Replace username@yourdomain.com with your email.

Retrieved from "http://kb.sagonet.com/Checking_for_rootkits"