Installing Rootkit Checker

From Lunarpages Web Hosting Wiki
Jump to: navigation, search

A root kit is a set of tools/programs used by an intruder after a successful intrusion into a system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Malicious purposes includes but not limited to, a backdoor entry to the system, mask the fact that the system is compromised (by hiding logins, processes, logs etc.), monitoring and so on.

What it Does

A typical rootkit includes a set of modified Unix tools such as "ps", "top", "netstat", "w", "passwd", "du", "find", "login", "syslogd" and "ifconfig". Those commands on execution would display normally except the processes run by cracker, thus allowing him to maintain "root" on the system without the system administrator even seeing them. A well designed rootkit hides logins, processes, and logs and often includes software to intercept data from terminals (tty monitors), network connections (modified nc), and the keyboard (keyloggers).

A rootkit may also include utilities, known as backdoors to help the attacker subsequently access the system more easily. For example, the rootkit may include an application that spawns a shell when the attacker connects to a particular network port on the system (a modified sshd server that spawns shell without even asking for password). Kernel root kits (LKM rootkits) may provide functionality that allows processes started by a nonpriviliged user to execute functions normally reserved for the superuser.

LKM's (Loadable Kernel Modules) are hard to find as it won't display in a lsmod, can't remove them when using rmmod and some gets tainted with kernel. Still most of them are detected by Rootkit checkers as they won't hide itself when we do a cat /proc/ksyms and cat /proc/modules on the system.

Where do they keep the rootkits

Once they gained the root access to your system, they can keep the files in any of the directories but the most common place is the /dev/ directory. Before asking me why /dev is a typical choice do an ls on /dev . They can also keep the rootkits and related binaries on /tmp, /dev/shm , /var/spool/samba and many other world writeable directories. The above mentioned directories are the most common place to keep the exploits on their way to gain root access.

As it's very difficult for us to look into each and every directory, that's where rootkit checkers come into picture. They are designed to check for known exploits/worms/rootkits as well as check for the signs of possible intrusion. It is not a preventative procedure in any way, and will not protect you from being cracked. It will however allow you to detect that it is already getting to be too late, before too much damage is done.

Be aware that "Security is a process, not a product".

Installing Chkrootkit

1. Download the chkrootkit and the md5sum from below URLs to /usr/local/share/.chkrootkit (mkdir -p /usr/local/share/.chkrootkit will create one if one doesn't exist already. I recommend using hidden (starting with period, . ) and creatively named directories.)

2. Once downloaded check the md5sum by executing

md5sum chkrootkit.tar.gz

and compare it with the md5sum downloaded.

3. Extract and install

cd /usr/local/share/.chkrootkit
tar xvzf chkrootkit.tar.gz
cd chkrootkit* (Remove any old chkrootkit installations, if any)
make sense

4. You can now run the chkrootkit by executing Code: ./chkrootkit . If you see notfound/not infected/no suspect files/nothing deleted then you are safe.

5. However, if your system is compromised, the system files on which chkrootkit depends may be modified by the rootkits in such a way as to hide the modifications, thus defeating the purpose of it's installation. So I recommend you to keep and use a local/safe copy of the binary files necessary to run Chkrootkit.

On a newly installed system, you can execute the below command to copy all the files necessary to run chkrootkit.

mkdir -p /usr/local/share/.safebin
cp -aL /bin/awk /usr/bin/cut /bin/egrep /usr/bin/find /usr/bin/head /usr/bin/id /bin/ls /bin/netstat   
/bin/ps /usr/bin/strings /bin/sed /bin/uname /bin/echo /usr/local/share/.safebin
cd /usr/local/share/
tar cvzf safebin.tar.gz safebin

and keep a copy of safebin.tar.gz in your local computer and upload, extract and use it whenever you wish to run chkrootkit.

In such a case, where you keep your own binaries execute chkrootkit with the following options,

./chkrootkit -p /usr/local/share/.safebin

6. Running chkrootkits daily

I personally don't recommend running chkrootkits without any manual intervention. By simply running it periodically, you are alerting the attacker and he would change it so that it doesn't detect his presence.

Still, if you would like to proceed, use the cron service:

crontab -e

and insert the below line in the file which opens up

0 1 * * * (cd /usr/local/share/.chkrootkit*; ./chkrootkit -p /usr/local/share/.safebin 2>&1 | mail -s "Chkrootkit output" youremail@yourdomain.tld)

7. What each binaries do ?

  • chkrootkit - This is the master program
  • check_wtmpx - This checks your tmp dirs for problems
  • chkdirs - This recurses all directories looking for problems
  • chklastlog - This checks your lastlog to see if it's been "fixed"
  • chkproc - Checks the proc file system for trouble
  • chkwtmp - Checks for deleted entries.
  • chkutmp - Checks for hidden logins
  • ifpromisc - Checks to see if your nic has been made promiscous
  • strings-static - Does string checking for signatures.

Installing Rootkit hunter (RKhunter)

1. Download the latest version from http://downloads.rootkit.nl/. Latest version as of this writing is 1.2.5 at URL:

http://downloads.rootkit.nl/rkhunter-1.2.5.tar.gz

It would be nice to subscribe to their release announcements at http://freshmeat.net/projects/rkhunter/

or the easy way Code:

/usr/local/bin/rkhunter --versioncheck

2. Extract and install by typing the below commands

tar zxf rkhunter-1.2.5.tar.gz ; cd rkhunter ; ./installer.sh

3. Once you have successfully installed run rkhunter by typing the command

/usr/local/bin/rkhunter -c --createlogfile --skip-keypress

The log file is created at /var/log/rkhunter.log

4. Periodic run

crontab -e

and insert the below line in the file which opens up

0 1 * * * (/usr/local/bin/rkhunter -c --cronjob --report-mode --createlogfile --skip-keypress 2>&1 | mail -s "Daily Rkhunter Scan Report" youremail@yourdomain.tld)

NB: Rkhunter have a few more checks when compared to chkrootkit, like checking /dev for suspicious files, application (version) scan, checking a few key files in /etc and the like.

References

  1. http://la-samhna.de/library/rootkits/detect.html - Samhain Labs explains
  2. http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html - An article from Sysadmin magazine
  3. http://vancouver-webpages.com/rkdet/ - Another RootKit checker
  4. http://www.cert.org/tech_tips/intruder_detection_checklist.html
  5. http://www.securityfocus.com/infocus/1811 - GDB , an advanced RootKit checker
  6. http://www.chkrootkit.org - Homepage of Chkrootkit
  7. http://www.rootkit.nl - Homepage of RootKit Hunter
  8. http://www.ossec.net/rootcheck/ - One more RootKit checker
  9. http://www.sans.org/y2k/t0rn.htm - Analysis of the infamous T0rn rootkit
Share |
Want to read this in another language?