Root out rootkits
True Negatives
You can spend a moment disabling false positives by editing the /etc/chkrootkit.conf
file. As you can see in Figure 2, you don't have many default config settings to worry about.
The first setting lets you choose to execute the Chkrootkit command on a daily basis. If that setting is changed from "false"
to "true"
, you can peek inside the cronjob file /etc/cron.daily/chkrootkit
to inspect the conditions used to launch the scheduled task. The RUN_DAILY_OPTS
option tells Chkrootkit whether or not to produce output when a critical "INFECTED"
status, or similar condition, is found. The "-q"
here stands for "quiet."
If you wanted to receive the results of Chkrootkit tests every day by email, you could move the cron.daily/chkrootkit
file somewhere like the /usr/local/etc/
directory and add the line in Listing 4 – or something similar – to your /etc/crontab
or the root user's crontab
. Note that if chkrootkit complains, you might need to adjust the beginning of the command by replacing the file name and its full path with cd /usr/local/etc;
and then executing ./chkrootkit
from within that directory. The example shown in the listing triggers every day at 1:00am. (Add your email address.)
Listing 4
Addition to crontab for Chkrootkit
To get rid of one of the Python false positives in Listing 2, you can add this entry to the foot of the /etc/cron.daily/chkrootkit
file:
IGNORE="/usr/lib/pymodules/python2.7/.path"
After you've done that, try a test run to see if you're still getting false positives. Incidentally, if you want to peer into the innards of Chkrootkit, you'll find the -x
option fascinating. Expert mode does put the onus entirely on the user to interpret the output, but it's very useful to run at least once. The -x
option dutifully lists the suspicious entries that Chkrookit searches for inside the binaries it scans. To handle the large amount of output, you can read it as follows:
chkrootkit -x | less
If you only want to see which paths are checked, the manual helpfully offers this solution:
chkrootkit -x | egrep '^/'
You are also advised to mount a potentially infected drive to another machine so that you can inspect its content safely with the command:
chkrootkit -r /infected_disk-mountpoint
The chkrootkit package includes a few other tools that are also executed when the chkrootkit
script runs. Among its other clever functionality, Chkrootkit will alert you as to whether your Network Interface Card (NIC) is set to listen in "Promiscuous Mode"; that is, your NIC is configured to listen for traffic that is not necessarily destined for your machine but is in fact visible on the network link to which it's connected.
Good, old network hubs were renowned for shouting loudly about everyone's traffic, but thankfully it's not as big a deal these days. Modern switched networks dutifully segment network traffic in a more secure fashion. However, you can achieve some interesting results from the ifpromisc
tool included in the Chkrootkit package, even if your machine is connected to a switch.
Unless you know that a valid service (e.g., a network sniffer) has purposely configured your NIC to flaunt itself all over the network, you should probably be concerned if it is found to be running in Promiscuous Mode.
A malevolent attacker's modus operandi is to cover his tracks to avoid detection. One of the logging systems used on Unix-type systems resides in the wtmp
(all logins and logouts) and lastlog
(most recent logins) functionality.
With that in mind, you shouldn't be entirely surprised to hear that Chkrootkit also includes the chkwtmp
and chklastlog
tools to look for deleted entries in logfiles. Be warned that the manual makes an effort to remind you that all it can do is try to detect these altered logfiles and that these checks are far from foolproof.
Another piece of functionality that might be slightly alarming is the aliens
test. This component apparently looks for any suspicious config files and network sniffer logfiles buried far, far away, deep into your filesystem.
Finally, the chkproc
tool is used to separate the wheat from the chaff to identify unwelcome processes that might be running on your machine. It's a clever addition that checks what the ps
command can see and then compares it to the /proc
pseudo-filesystem entries, ringing a bell like a town crier if it finds something untoward.
End Of File
In this article, I have barely begun to look at rootkits. It's an ever-evolving subject involving the common cat and mouse chase between the good guys and the bad guys. Because you are now armed with new weaponry, I hope you can keep a closer eye on your machines. As you've seen, rootkits are very nasty trojan horse-style infections that can lie dormant for a relatively long period of time and then appear suddenly, biting you on the posterior.
Aside from knowing that your key system binaries are prone to compromise (and, as result, making you more aware of how important permissions and other security controls are), you should at least now be a little more familiar with the attack vectors that hackers consider. Admittedly, rootkit checkers won't save the day every time. If you do suffer a compromise, however, you'll probably know by the end of the same day that your machine has been infected and not several days or weeks later, when even more damage has been done.
For more information on Chkrootkit, the website encourages you to join its mailing list using
echo "subscribe users <email-address>" | mail majordomo@chkrootkit.org
and points you to some relevant books on the subject, as well [3].
Infos
- Chkrootkit: http://www.chkrootkit.org (accessed September 10, 2015)
- Source code: http://www.chkrootkit.org/download/
- Chkrootkit publications: http://www.chkrootkit.org/books
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.