Root out rootkits
True Negatives
You can spend a moment disabling false positives by editing the /etc/chkrootkit.conf
file. As you can see in Figure 2, you don't have many default config settings to worry about.
The first setting lets you choose to execute the Chkrootkit command on a daily basis. If that setting is changed from "false"
to "true"
, you can peek inside the cronjob file /etc/cron.daily/chkrootkit
to inspect the conditions used to launch the scheduled task. The RUN_DAILY_OPTS
option tells Chkrootkit whether or not to produce output when a critical "INFECTED"
status, or similar condition, is found. The "-q"
here stands for "quiet."
If you wanted to receive the results of Chkrootkit tests every day by email, you could move the cron.daily/chkrootkit
file somewhere like the /usr/local/etc/
directory and add the line in Listing 4 – or something similar – to your /etc/crontab
or the root user's crontab
. Note that if chkrootkit complains, you might need to adjust the beginning of the command by replacing the file name and its full path with cd /usr/local/etc;
and then executing ./chkrootkit
from within that directory. The example shown in the listing triggers every day at 1:00am. (Add your email address.)
Listing 4
Addition to crontab for Chkrootkit
To get rid of one of the Python false positives in Listing 2, you can add this entry to the foot of the /etc/cron.daily/chkrootkit
file:
IGNORE="/usr/lib/pymodules/python2.7/.path"
After you've done that, try a test run to see if you're still getting false positives. Incidentally, if you want to peer into the innards of Chkrootkit, you'll find the -x
option fascinating. Expert mode does put the onus entirely on the user to interpret the output, but it's very useful to run at least once. The -x
option dutifully lists the suspicious entries that Chkrookit searches for inside the binaries it scans. To handle the large amount of output, you can read it as follows:
chkrootkit -x | less
If you only want to see which paths are checked, the manual helpfully offers this solution:
chkrootkit -x | egrep '^/'
You are also advised to mount a potentially infected drive to another machine so that you can inspect its content safely with the command:
chkrootkit -r /infected_disk-mountpoint
The chkrootkit package includes a few other tools that are also executed when the chkrootkit
script runs. Among its other clever functionality, Chkrootkit will alert you as to whether your Network Interface Card (NIC) is set to listen in "Promiscuous Mode"; that is, your NIC is configured to listen for traffic that is not necessarily destined for your machine but is in fact visible on the network link to which it's connected.
Good, old network hubs were renowned for shouting loudly about everyone's traffic, but thankfully it's not as big a deal these days. Modern switched networks dutifully segment network traffic in a more secure fashion. However, you can achieve some interesting results from the ifpromisc
tool included in the Chkrootkit package, even if your machine is connected to a switch.
Unless you know that a valid service (e.g., a network sniffer) has purposely configured your NIC to flaunt itself all over the network, you should probably be concerned if it is found to be running in Promiscuous Mode.
A malevolent attacker's modus operandi is to cover his tracks to avoid detection. One of the logging systems used on Unix-type systems resides in the wtmp
(all logins and logouts) and lastlog
(most recent logins) functionality.
With that in mind, you shouldn't be entirely surprised to hear that Chkrootkit also includes the chkwtmp
and chklastlog
tools to look for deleted entries in logfiles. Be warned that the manual makes an effort to remind you that all it can do is try to detect these altered logfiles and that these checks are far from foolproof.
Another piece of functionality that might be slightly alarming is the aliens
test. This component apparently looks for any suspicious config files and network sniffer logfiles buried far, far away, deep into your filesystem.
Finally, the chkproc
tool is used to separate the wheat from the chaff to identify unwelcome processes that might be running on your machine. It's a clever addition that checks what the ps
command can see and then compares it to the /proc
pseudo-filesystem entries, ringing a bell like a town crier if it finds something untoward.
End Of File
In this article, I have barely begun to look at rootkits. It's an ever-evolving subject involving the common cat and mouse chase between the good guys and the bad guys. Because you are now armed with new weaponry, I hope you can keep a closer eye on your machines. As you've seen, rootkits are very nasty trojan horse-style infections that can lie dormant for a relatively long period of time and then appear suddenly, biting you on the posterior.
Aside from knowing that your key system binaries are prone to compromise (and, as result, making you more aware of how important permissions and other security controls are), you should at least now be a little more familiar with the attack vectors that hackers consider. Admittedly, rootkit checkers won't save the day every time. If you do suffer a compromise, however, you'll probably know by the end of the same day that your machine has been infected and not several days or weeks later, when even more damage has been done.
For more information on Chkrootkit, the website encourages you to join its mailing list using
echo "subscribe users <email-address>" | mail majordomo@chkrootkit.org
and points you to some relevant books on the subject, as well [3].
Infos
- Chkrootkit: http://www.chkrootkit.org (accessed September 10, 2015)
- Source code: http://www.chkrootkit.org/download/
- Chkrootkit publications: http://www.chkrootkit.org/books
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.