Security Samizdat

Rootkits are security tools used by intruders after compromising a hacked system. Rootkits help the intruders maintain their access to the system while hiding the toolkit, processes, open ports, etc. from the system administrator.

There are several interesting tools to scan for rootkit presence on a system. In this post, I’ll look at the two tools I use: Rootkit Hunter, and chkrootkit.

Rootkit Hunter

http://rkhunter.sourceforge.net/

Rootkit Hunter is a scanning tool that scans for rootkits, backdoors and local exploits. It checks MD5 hashes, default files used by rootkits, strange permissions in binaries, suspect strings in modules, hidden files, etc. It works in most flavours of Linux, BSD (OpenBSD, FreeBSD, MacOS X, but not NetBSD) and some Unix variants (AIX, Solaris, etc.)

Once you download Rootkit Hunter, unpack it, and execute the installer.sh script as root user.

After installing, just execute it (as root) with the following options:

rkhunter -c

- performs standard check of the system

rkhunter -c –quick

- performs quick scan

rkhunter -c –check-deleted

- performs a “deleted files” check (processes using deleted files)

rkhunter -c –scan-knownbad-files

- performs a “known-bad files” check

rkhunter –update

- updates database of rootkits

An interesting option is to use a cron job to schedule periodic update and system check, by using this script (add it to the crontab or /etc/cron.daily directory)

#!/bin/sh

( /usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run’ root

chkrootkit

http://www.chkrootkit.org/

chkrootkit is another option for our rootkit-detection toolkit. It can be downloaded from: http://www.chkrootkit.org/download/

It doesn’t need to be installed. Just unpack it and run chkrootkit it as root. This is useful if you need to run it from read-only media, such as CD-ROM, to avoid compromise of the rootkit-detection tool itself.

chkrootkit has an interesting option, which allows to specify the root directory to be scanned. Although I haven’t tested it yet, it could be used to mount an off-line image of a suspect filesystem, in a typical forensics analysis way, and scan it for rootkit infections.

One of the mitigation actions for the Microsoft DNS vulnerability is the disablement of the RPC Management functionality. Jesper Johansson explains how to do it in a large number of Domain Controllers and DNS servers (thanks Daniel!)

In short, the method consists of generating a text list with all the DNS servers, and then using a short script to remotelly connecto to each one (using Enterprise Admin credentials) to change the registry parameter and restarting the DNS service.

It is recommended to do this until you can patch.

Note about this workaround:

Setting the registry value to 4 will disable remote management and configuration of DNS server functionality using RPC or WMI will be disabled. DNS management tools, will fail to work remotely. Local management and remote management through terminal services can be still used to manage your DNS Server configuration.

You will still be able to use the DNS management MMC Snap-in, DNSCMD.exe, and the DNS WMI provider.