Linux HOWTOs

About | Home | Search

HOWTO: chkrootkit
Description: Locally checks for signs of a rootkit
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything

# chkrootkit 0.46a
# ================
test -f installed/chkrootkit-0.46a.tar.gz &&
 mv installed/chkrootkit-0.46a.tar.gz .
test ! -f chkrootkit-0.46a.tar.gz &&

# Verify tarball w/ md5sum:
echo "b73fb9e365d2edcd031d65b16e965a18  chkrootkit-0.46a.tar.gz" | md5sum -c

# Verify tarball w/ sha1sum:
# (chkrootkit.tar.gz.sig is not a detached pgp signature, so I decrypted it,
# got a sha1sum of that, and of chkrootkit-0.46a.tar.gz, they match)
echo "5213b107cda5e5165da463650885efe8c15a14d2  chkrootkit-0.46a.tar.gz" | \
 sha1sum -c

# Become root to install it

find /usr/local -maxdepth 1 -type d -name "chkrootkit-*" -exec rm -r {} \;
test -L /usr/local/chkrootkit && rm /usr/local/chkrootkit
tar xzvf chkrootkit-0.46a.tar.gz -C /usr/local/
ln -sf /usr/local/chkrootkit-0.46a /usr/local/chkrootkit
cd /usr/local/chkrootkit
chown -R root:root .
make sense

# If you use the Rik van Riel/Robert Love version of procps (2.0.x), the
# LKM test will falsely report hidden processes.  If you use the Albert
# Calahan version (3.x.x; the one at SourceForge), you will not have this
# problem.  I half-noticed a discussion about this on the chkrootkit mailing
# list, but I don't recall the solution.
# I don't use procps 2.x any more, so let me know if this is no longer true.

# This patch will cause chkrootkit to strip .packlist files in
# /usr/lib/perl5, as long as they're ASCII, from the suspicious files and
# dirs list:
wget -nc\
chkrootkit-0.45-packlist.patch &&
 patch -p0 < chkrootkit-0.45-packlist.patch

# Machines of mine that have source-installed versions of net-tools show an
# INFECTED 'netstat', this fixes that:
wget -nc\
chkrootkit-0.46a-sockaddr.patch &&
 patch -p0 < chkrootkit-0.46a-sockaddr.patch

# To run chkrootkit with all tests, run it like so.  Use -q to only output
# potential problems.
cd /usr/local/chkrootkit && ./chkrootkit 2>&1 | less

## If you do not have the /etc/cron.*/ directories set up, add a crontab entry
## to root's crontab like this one to run chkrootkit every night at 2am and
## then e-mail the output to root.  It should be on one line if it doesn't
## appear that way in your browser.
#0 2 * * * (cd /usr/local/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit $HOSTNAME" root)

# ...or if you do have the /etc/cron.(hourly|daily|weekly|monthly) directories
# set up (the root crontab in Slack 8.1 or greater will use them if they
# exist), this will run chkrootkit daily at 4:40am (along with the other
# cron.daily scripts).  Note: if your mktemp doesn't have a -t commandline
# option and you can't upgrade it change the command to
# "mktemp /tmp/chkrootkit.XXXXXX".
cat << EOF > /etc/cron.daily/chkrootkit
cd /usr/local/chkrootkit
## Uncomment the following line (and comment-out the others) to e-mail
## the full chkrootkit output to root every day (whenever cron.daily is
## run):
#./chkrootkit 2>&1 | mail -s "chkrootkit \$HOSTNAME" root
TMPFILE=\`mktemp -t chkrootkit.XXXXXXXXXX\` || exit 1
./chkrootkit -q > \$TMPFILE
test -s "\$TMPFILE" && cat \$TMPFILE | mail -s "chkrootkit \$HOSTNAME" root
rm -f \$TMPFILE
test -s /etc/cron.daily/chkrootkit && chmod 700 /etc/cron.daily/chkrootkit

# Become yourself again

mkdir -p -m 0700 installed
rm -f installed/chkrootkit-*.tar.*
mv chkrootkit-0.46a.tar.gz installed/

Back to the list

Last updated: Wed, 29 Apr 2020 22:04:50 -0400
Jason Englander <jason at englanders dot us>