CHKRootkit

From Security Lab Wiki

Jump to: navigation, search

CHKROOTKIT


Overview

Environments:

chkrootkit is tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD
1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac
OS X.


chkrootkit checks for signs of rootkits. It has multiple modules: chkrootkit, ifpromisc.c, chklastlog.c, chkwtmp.c, check_wtmpx.c, chkproc.c, chkdirs.c, strings.c, chkutmp.c; chkrootkit is the main module which controls all other modules.


chkrootkit checks system binaries for modifications. Example of system binaries that are checked by chkrootkit: find, grep, cron, crontab, echo, env, su, ifconfig, init, sendmail, write...).

Next, it finds default files and directories of many rootkits (sniffer's logs, HiDrootkit's default dir, tOrn's default files and dirs...).

Then, it is going to show you a long list of suspicious files and directories (this may take a while).

After that, it continues to look for default files and directories of known rootkits (not sure why chkrootkit has to stop and then resume this process).

It also checks for anomalies in history files, checks if the network inferface is in promiscuous mode, checks for lastlog, wtmp, wtmpx, utmp deletions, check for entries in /proc that are hidden from ps and readdir (a sign of infection by LKM trojan).


Download chkrootkit at: http://www.chkrootkit.org


Options

To be able to use chkrootkit, first, we need to compile it:

From the installation directory:

make sense

To start chkrootkit with the default options (run all the tests):

sudo ./chkrootkit


For other options, use the syntax:

sudo ./chkrootkit [options] [testname ...]


options could be:
-h show this help and exit
-V show version information and exit
-l show available tests
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs


testname could be:

aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
inetdconf identd init killall ldsopreload login ls lsof mail mingetty
netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
traceroute vdir w write


Simple Examples

-Check for trojaned find, grep and check if the network interface is in promiscuous mode:

sudo ./chkrootkit find grep sniffer

-Only show infections or suspicious results (q is short for quiet).

sudo ./chkrootkit -q

-Use -p to specify the path to the alternate system binaries which chkrootkit uses to perform the test if you think those system binaries might be infected. System binaries used by chkrootkits: awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, uname.

sudo ./chkrootkit -p /media/disk

-You can specify the root directory if the system files to check in on another partion or disk:

sudo ./chkrootkit -r /dev/sdb2


Related Tools

Linux-based Rootkit tools:

Rootkit Hunter


Windows-bases rootkit tools:

RootkitRevealer
RootkitRevealer is an advanced rootkit detection utility developed by Microsoft.

Sophos Anti-Rootkit:
Sophos Anti-Rootkit scans, detects and removes rootkits.
Panda Anti-Rootkit:
detects and removes rootkits.


Resources

Official chkrootkit website: http://www.chkrootkit.org

Retrieved from "http://csfacwiki.cslabs.ewu.edu/wiki/securitylab/index.php/CHKRootkit"
This page was last modified on 17 April 2009, at 05:18. This page has been accessed 84 times.