5.16.2008

Browse > Home / / Scan your Linux-Distro for Root Kits

Scan your Linux-Distro for Root Kits

0 comments Friday, May 16, 2008 Posted by DJYano
Labels:

Do you suspect that you have a compromised system? Check now for root kits that the intruder may have installed!

What in the hell is a root kit?

A root kit is a collection of programs that intruders often install after they have compromised the root account of a system. These programs will help the intruders clean up their tracks, as well as provide access back into the system. Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge!

Solution

Scripts like chkrootkit will do the job for you automatically. This program locally checks for signs of a rootkit. No illegal activities are encouraged! I'm not responsible for anything you may do with it.

ATTENTION !!! DO NOT install chkrootkit on your system and simply run it periodically. An attacker may simply find the installation and change it so that it doesn't detect his presence. Compile it and put it on removable or read-only media.

STEP 1

Download the Latest Source tarball (37140 bytes).
From shell run...

# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

STEP 2

Then verify the tarball's MD5 signature.
From shell run...

# md5sum verify chkrootkit.tar.gz

STEP 3

Use tar to unzip the source code.
From shell run...

# tar -xzf chkrootkit.tar.gz

STEP 4

Compile chrootkit.Go into the directory that it created and type from shell...

# make sense

STEP 5

Run chkrootkit from the directory it was built in. From shell...

# ./chkrootkit

It will print each test that it performs and the result of the test:-

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
.
.
.
chkutmp: nothing deleted
chrootkit can also be run on disks mounted in another machine, just specify the mount point for the partition with the -r option :-

# ./chrootkit -r /mnt/hdc_image

That's all, I hope you are not infected.

P.S
If you are not infected I think it is a good time to make a copy of your disks. Generate a checksum for the partition you wish to image, run from shell...

# md5sum /dev/hdc2 > /tmp/hdc2.md5

To make the copy of the disk(s), we'll use the dd command. From shell...

# dd if=/dev/hdc of=/tmp/hdc.img

You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive. This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc. Write it to another hard disk.

Related post :

  • Google Gadgets on Your Linux Desktop
  • Desktop Blogging Clients for Linux
  • 10 Reasons to Love Debian
  • Install Firefox 3 Beta on Ubuntu 7.10
  • How to remove Hacktool.Rootkit
  • Ways To Stop Computer Malware
  • 10 Tips For Virus Free
  • Top 5 Free Anti Virus
  • Top 7 Best Free Online Scan
  • 10 tips for new Ubuntu users
  • Adobe releases Adobe Flash Player 10 beta for Linux
  • Basic Linux Commands


    Comments

    0 comments to "Scan your Linux-Distro for Root Kits"

    Post a Comment

    Subscribe to: Post Comments (Atom)