Detecting rootkits and malware on linux with chkrootkit

Detecting rootkits and malware on linux with chkrootkit

Remember, you can drive a car without to know more than how to press accelerator and brake (as a user), but if you know how the engine works you can check it by yourself, improve and fix it (as a admin).

I had not talked about rootkit until now, probably I’ll on the next post but you should know that rootkit enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a concatenation of “root” (the traditional name of the privileged account on Unix-like operating systems) and the word “kit” (which refers to the software components that implement the tool). The term “rootkit” has negative connotations through its association with malware.

Linux can be protected from the spread of most malware, it’s not absolutely safe as most of the people think. If your server is erected a Linux server, especially the Web you should be on the rootkit Trojans and malicious software to prevent, because some of the data destruction class Rootkit is very dangerous, and the attacker once the invasion may be used after the site server malicious Software dissemination. How to eliminate such risks? One way is to use the correct security check tool.

Let’s talk about chkrootkit: chkrootkit is a tool to locally check for signs of a rootkit, Worms and LKMs. It contains:

* chkrootkit: a shell script that checks system binaries forrootkit modification.

* ifpromisc.c: checks if the network interface is in promiscuous mode.

* chklastlog.c: checks for lastlog deletions.

* chkwtmp.c: checks for wtmp deletions.

* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)

* chkproc.c: checks for signs of LKM trojans.

* chkdirs.c: checks for signs of LKM trojans.

* strings.c: quick and dirty strings replacement.

* chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations — so it is also not guaranteed it will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can
also run this command with the -v option (verbose).


How to Install it? on Debian/Ubuntu just type the next command

sudo apt-get install chkrootkit

If you use Mac

ruby -e "$(curl -fsSL" < /dev/null 2> /dev/null
brew install chkrootkit


How to Use it? on Terminal type the next command. It will ask you the admin password.

sudo chkrootkit


If there are some Rookit signs after the test, you can try to analyze the same, because some may be false positives. If there are other Rookit suspected reports, you will need to pay attention, carefully control the chkrootkit report analysis, find a solution problem, because the chkrootkit tool only provides detection, does not provide a solution or delete method.

So guys remember that I’m always active to help and solve any questions. if you need some help just send me and email.

Share it:

Leave a Reply

Your email address will not be published. Required fields are marked *