• CheckingRootkit

Checking Rootkits with Chkrootkit and rkhunter

Most Rootkits use the power of Kernel to hide themselves and only visible from kernel. Question How do I detect the rootkits under Ubuntu????. Here are the Solutions

Using Zeppo

allows you to detect rootkits on i386 and x86_64 architecture under Linux, by using /dev/kmem and /dev/mem. Moreover it can also detect hidden tasks, connections, corrupted symbols, system calls... and so many other things.

Code:

I haven't use it..so No Documentation for it -- don't worry, someone else who uses it will update this section with where the documentation is for Zeppo :-).. This is wiki.

-- see the README file inside the tarball for documentation -- BikalKC

Using Chkrootkit

chkrootkit is a tool to check for signs of a rootkits on Local BOX. Type the following command to install chkrootkit

$sudo apt-get install chkrootkit

Start Checking for rootkit

$sudo chkrootkit

OUTPUT

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not found

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not infected

Checking `inetdconf'... not infected .......etc

Looking for suspicious Strings

$sudo chkrootkit -x | less

Need to specify the path for the external commands used by chkrootkit like awk, grep . Mount /mnt/tocheck using nfs. Permission should be read-only mode and set /mnt/tocheck binaries PATH.

$ sudo chkrootkit -p /mnt/tocheck

Using rkhunter

Now rkhunter,

rkhunter is a tool(shell script) which scan for rootkits, backdoors and possible local exploits. rkhunter is a shell script. which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, listening applications etc... to install rkhunter $ sudo apt-get install rkhunter

This command option tells rkhunter to perform various checks on the local system:

$ sudo rkhunter --check

Update rkhunter

$ sudo rkhunter --update

The following option tells rkhunter which directories to look in to find the various commands:

$ sudo rkhunter --check --bindir /mnt/tocheck

Further resources

• man pages of rkhunter and chkrootkit

• rkhunter Project home page

• chkrootkit Project home page