Install CHKROOTKIT



Product Name: CHKROOTKIT
Product Version: 0.49
Homepage: http://www.chkrootkit.org/
Description: chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies.
It can be used from a “rescue disc” (typically a LiveCD) or it can optionally use an alternative directory from which to run all of its own commands. These techniques allow chkrootkit to trust the commands upon which it depends a bit more.
There are inherent limitations to the reliability of any program that attempts to detect compromises (such as rootkits and computer viruses). Newer rootkits may specifically attempt to detect and compromise copies of the chkrootkit programs or take other measures to evade detection by them.


Step 1: Downloading and Installing it:

cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5
tar -zxvf chkrootkit.tar.gz
mkdir /usr/local/chkrootkit
mv /usr/local/src/chkrootkit*/* /usr/local/chkrootkit
cd /usr/local/chkrootkit
make sense



Step 2: Adding program to daily cron job

There you go! should be installed, and you will get a mail daily with a status on your system

nano -w /etc/cron.daily/chkrootkit.sh



Step 2.1: Add this text to the chkrootkit.sh file

#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s 'CHROOTKIT Daily Run (PutServerNameHere)' your@email.here

Remember to change PutServerNameHere and your@email.here


Step 2.2: Chmodding chkrootkit

chmod 700 /etc/cron.daily/chkrootkit.sh




Optional config 1: Make the content of the email report focus on possible threats only

nano -w /etc/cron.daily/chkrootkit.sh

Add a -q after the /usr/local/chkrootkit/chkrootkit line

usr/local/chkrootkit/chkrootkit -q
Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • email
  • PDF
  • StumbleUpon
  • Technorati
Comment (RSS)  |  Trackback

4 Comments

  1. Harrowed says:
    2009/07/31 at 11:16

    I think you reused your RKhunter crontab script n forgot to rename the subject :D

    *Fixed – Admin*

  2. Charlie says:
    2009/10/15 at 18:09

    Hi, thank you for howto’s for people like me (not so linux savy).
    I’m installing chrootkit on centos final, but after command “make sense” I get:
    - bash: make: command not foun

    can you help me?

    Thanks
    charlie

  3. Charlie says:
    2009/10/15 at 18:17

    Ok I installed make. After “make sense” I got this:

    [quote]
    -bash-3.1# make sense
    gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
    gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
    chkwtmp.c: In function ‘main’:
    chkwtmp.c:95: warning: incompatible implicit declaration of built-in function ‘exit’
    gcc -DHAVE_LASTLOG_H -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c
    gcc -o chkproc chkproc.c
    gcc -o chkdirs chkdirs.c
    gcc -o check_wtmpx check_wtmpx.c
    gcc -static -o strings-static strings.c
    gcc -o chkutmp chkutmp.c
    [/quote]

    Is chrootkit installed now?

  4. Ainberliner says:
    2010/01/28 at 15:33

    hi, since you add /bin/mail into daily cron script, i think it is better to mention that mailx rpm package needs to be installed…

    ADMIN EDIT: added mailx in the System Prep page.

Leave a Reply