Chrootkit help

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

#Change to root
su -

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

Important Note: If you see 'Checking `bindshell'... INFECTED (PORTS:  465)' read on.
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test
(ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp,
31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

Important:
1. Replace 'yourinstallpath' with the actual path to where you unpacked Chkrootkit.
2. Change 'Servername' to the server your running so you know where it's coming from.
3. Change 'admin@youremail.com' to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

./chkrootkit.sh

You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

URL injections information

URL Injection attacks typically mean the server for which the IP address of the attacker is...

Rootkit help

RootKit -- Spyware and Junkware detection and removal tool Go to Rootkit Hunter homepage, and...

Ddos protection with bandwith shaping

Protecting your host from SYN floods From Alexey's iproute documentation, adapted to netfilter...

Brute Force Detection

BFD -- Brute Force Detection BFD is a shell script which parses security logs and detects...

Botware / Malware defense

Prevention: Ensure OS and software patches on the desktop are up to date. Disallow...