04
May
07

Two tools to detect rootkits in Linux

post info

By alfredo reino
Categories: Products and Security

Rootkits are security tools used by intruders after compromising a hacked system. Rootkits help the intruders maintain their access to the system while hiding the toolkit, processes, open ports, etc. from the system administrator.

There are several interesting tools to scan for rootkit presence on a system. In this post, I’ll look at the two tools I use: Rootkit Hunter, and chkrootkit.

Rootkit Hunter

http://rkhunter.sourceforge.net/

Rootkit Hunter is a scanning tool that scans for rootkits, backdoors and local exploits. It checks MD5 hashes, default files used by rootkits, strange permissions in binaries, suspect strings in modules, hidden files, etc. It works in most flavours of Linux, BSD (OpenBSD, FreeBSD, MacOS X, but not NetBSD) and some Unix variants (AIX, Solaris, etc.)

Once you download Rootkit Hunter, unpack it, and execute the installer.sh script as root user.

Rootkit Hunter - installing

After installing, just execute it (as root) with the following options:

rkhunter -c

- performs standard check of the system

rkhunter -c –quick

- performs quick scan

rkhunter -c –check-deleted

- performs a “deleted files” check (processes using deleted files)

rkhunter -c –scan-knownbad-files

- performs a “known-bad files” check

rkhunter –update

- updates database of rootkits

Rootkit Hunter - scanning

An interesting option is to use a cron job to schedule periodic update and system check, by using this script (add it to the crontab or /etc/cron.daily directory)

#!/bin/sh

( /usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run’ root

chkrootkit

http://www.chkrootkit.org/

chkrootkit is another option for our rootkit-detection toolkit. It can be downloaded from: http://www.chkrootkit.org/download/

It doesn’t need to be installed. Just unpack it and run chkrootkit it as root. This is useful if you need to run it from read-only media, such as CD-ROM, to avoid compromise of the rootkit-detection tool itself.

chkrootkit - scanning

chkrootkit has an interesting option, which allows to specify the root directory to be scanned. Although I haven’t tested it yet, it could be used to mount an off-line image of a suspect filesystem, in a typical forensics analysis way, and scan it for rootkit infections.

0 Responses to “Two tools to detect rootkits in Linux”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply

« Multi-layer cryptography
What you put online, anyone can see »