How chkrootkit works
Definition of chkrootkit :chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.
chkrootkit is not installed by default on servers.
To install it:
mkdir -p /usr/local/src
cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
gzip -d -c chkrootkit.tar.gz | tar xvf -
cd chkrootkit-0.43
make sense
Then run it
./chkrootkit
Please keep in mind the following:
1. If a hacker got in, your safest recourse is to wipe the box, re-install the operating system, and restore from a backup that was made prior to the hack.
2. Security must be done in layers to be the most effective. You should start off with as many layers as you are comfortable managing and monitoring; and then add layers as they either become available, you see the pattern to make one, etc.
3. Security must be an ongoing concern. You don’t just add on the layers (tighten the hatches), and walk away from the ship. You have to manage it several times a day for as long as the server is connected to the Internet.
posted by The Great Anil @ 6:55 PM
Comments: 0
