Unix Security: Diagnostics and Forensics

17. `chkrootkit` and `rkhunter`

There is no way to be certain whether or not a machine has been rooted without booting from clean media. But these machines help — alot.

17.1. `chkrootkit`

From the www.chkrootkit.org website:

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

chkrootkit shell script that checks system binaries for rootkit modification.
ifpromisc.c checks if the interface is in promiscuous mode.
chklastlog.c checks for lastlog deletions.
chkwtmp.c checks for wtmp deletions.
check_wtmpx.c checks for wtmpx deletions. (Solaris only)
chkproc.c checks for signs of LKM trojans.
chkdirs.c checks for signs of LKM trojans.
strings.c quick and dirty strings replacement.
chkutmp.c checks for utmp deletions.

Read the man page, or simply:

    root> chkrootkit -h
    Usage: /usr/sbin/chkrootkit [options] [test ...]
    Options:
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests and exit
        -d                debug
        -q                quiet mode                         
        -x                expert mode
        -r dir            use dir as the root directory
        -p dir1:dir2:dirN path for the external commands used by chkrootkit
        -n                skip NFS mounted dirs

Quiet mode is good for a daily cron job.

17.2. RK Hunter

From the www.rkhunter.org (also rootkit.nl) website:

Rootkit Hunter

Shell script
No program dependencies (except optional Perl modules)
Works on almost every UNIX-alike operating system (BASH shell preferred)

rkhunter is written in Perl so its easy to get a good idea of what it's doing as it performs it's tests.

There are many usage options; here are some:

  rkhunter <parameters>

    --checkall (or -c)
        Check the system, performs all tests.

    --createlogfile*
        Create a logfile (default /var/log/rkhunter.log)

    --cronjob
        Run as cronjob (removes colored layout)

    --help (or -h)
        Show help about usage

    --nocolors*
        Don't use colors for output (some terminals don't like 
        colors or extended layout characters)

    --report-mode*
        Don't show uninteresting information for reports, like 
        header/footer.  Interesting when scanning from crontab or with 
        usage of other applications.

    --skip-keypress*
        Don't wait after every test (makes it non-interactive)

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple

17. chkrootkit and rkhunter

17.1. chkrootkit

17.2. RK Hunter

17. `chkrootkit` and `rkhunter`

17.1. `chkrootkit`